CVE-2020-8165
📋 TL;DR
This vulnerability allows remote code execution in Ruby on Rails applications using MemCacheStore or RedisCacheStore for caching. Attackers can exploit deserialization of untrusted data to execute arbitrary code on affected systems. Applications running Rails versions below 5.2.4.3 or 6.0.3.1 with these cache stores are vulnerable.
💻 Affected Systems
- Ruby on Rails
📦 What is this software?
Leap by Opensuse
Leap by Opensuse
Rails by Rubyonrails
Rails by Rubyonrails
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining remote code execution, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential pivot to other systems in the network.
If Mitigated
Limited impact with proper network segmentation, minimal privileges, and monitoring in place, though RCE would still be possible.
🎯 Exploit Status
Exploitation requires the attacker to be able to send malicious cache data to the vulnerable cache store endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rails 5.2.4.3, Rails 6.0.3.1
Vendor Advisory: https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
Restart Required: Yes
Instructions:
1. Update Rails gem to version 5.2.4.3 or higher for Rails 5.2.x, or 6.0.3.1 or higher for Rails 6.0.x. 2. Update Gemfile to specify the patched version. 3. Run bundle update rails. 4. Restart the Rails application server.
🔧 Temporary Workarounds
Switch to alternative cache store
allTemporarily switch from MemCacheStore or RedisCacheStore to a non-vulnerable cache store like FileStore or MemoryStore
# In config/environments/production.rb
config.cache_store = :file_store, 'tmp/cache/'
🧯 If You Can't Patch
- Implement strict network controls to limit access to cache store endpoints (typically TCP ports 11211 for Memcached or 6379 for Redis)
- Monitor cache store access logs for unusual patterns and implement rate limiting on cache operations
🔍 How to Verify
Check if Vulnerable:
Check Rails version in Gemfile.lock or run 'rails --version' and verify if below 5.2.4.3 or 6.0.3.1, and check if using MemCacheStore or RedisCacheStore in config files.Check Version:
rails --versionVerify Fix Applied:
Verify Rails version is 5.2.4.3+ or 6.0.3.1+ and restart application, then test cache functionality remains working.📡 Detection & Monitoring
Log Indicators:
- Unusual cache store access patterns
- Errors in Rails logs related to cache deserialization
- Unexpected process execution from Rails application
Network Indicators:
- Unusual traffic to Memcached (port 11211) or Redis (port 6379) endpoints
- Suspicious payloads in cache store communications
SIEM Query:
source="rails.log" AND ("cache_store" OR "MemCache" OR "RedisCache") AND ("deserialization" OR "marshal" OR "unmarshal")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
- https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
- https://hackerone.com/reports/413388
- https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
- https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
- https://www.debian.org/security/2020/dsa-4766
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
- https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c
- https://hackerone.com/reports/413388
- https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html
- https://security.netapp.com/advisory/ntap-20250509-0002/
- https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/
- https://www.debian.org/security/2020/dsa-4766
