CVE-2023-26153 – CVE-2023-26153 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-26153?

CVE-2023-26153 has a CVSS score of 8.3 (HIGH). CVE-2023-26153 is a command injection vulnerability in geokit-rails Ruby gem versions before 2.5.0. Attackers can exploit unsafe YAML deserialization in the 'geo_location' cookie to execute arbitrary commands on the host system. Any Rails application using vulnerable versions of geokit-rails with the IP geocoding feature enabled is affected.

📋 TL;DR

CVE-2023-26153 is a command injection vulnerability in geokit-rails Ruby gem versions before 2.5.0. Attackers can exploit unsafe YAML deserialization in the 'geo_location' cookie to execute arbitrary commands on the host system. Any Rails application using vulnerable versions of geokit-rails with the IP geocoding feature enabled is affected.

💻 Affected Systems

Products:

geokit-rails Ruby gem

Versions: All versions before 2.5.0

Operating Systems: All operating systems running Ruby/Rails applications

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the IP geocoding feature when processing the 'geo_location' cookie. Applications must be using geokit-rails with IP geocoding enabled.

📦 What is this software?

Geokit Rails by Geokit

View all CVEs affecting Geokit Rails →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing remote code execution as the application user, potentially leading to data theft, lateral movement, or complete server takeover.

🟠

Likely Case

Remote command execution allowing file system access, data exfiltration, or installation of backdoors/malware.

🟢

If Mitigated

No impact if proper input validation and safe deserialization practices are implemented.

🌐 Internet-Facing: HIGH - Exploitation requires only a malicious cookie value sent to vulnerable endpoints, making internet-facing applications particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require attacker access to internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attacker crafts malicious YAML payload in cookie. Public proof-of-concept demonstrates command injection via YAML deserialization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.0

Vendor Advisory: https://github.com/geokit/geokit-rails/security/advisories

Restart Required: Yes

Instructions:

1. Update Gemfile to require 'geokit-rails', '>= 2.5.0'. 2. Run 'bundle update geokit-rails'. 3. Restart the Rails application server.

🔧 Temporary Workarounds

Disable IP geocoding feature

all

Temporarily disable the vulnerable IP geocoding functionality until patching is possible.

# In Rails configuration, disable IP geocoding
# config/initializers/geokit_config.rb
Geokit::Geocoders::ip_provider = :none

Cookie validation middleware

all

Add middleware to sanitize or reject malicious 'geo_location' cookie values.

# In application_controller.rb or middleware
before_action :validate_geo_cookie

def validate_geo_cookie
  if cookies[:geo_location] && cookies[:geo_location].match?(/\!ruby\/object|\!ruby\/module/i)
    cookies.delete(:geo_location)
  end
end

🧯 If You Can't Patch

Implement WAF rules to block requests containing suspicious YAML patterns in cookies
Restrict application server permissions to limit damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock or run 'bundle show geokit-rails' to see installed version. If version is < 2.5.0 and application uses IP geocoding, it's vulnerable.

Check Version:

bundle show geokit-rails | grep -o 'geokit-rails.*'

Verify Fix Applied:

Verify geokit-rails version is 2.5.0 or higher using 'bundle show geokit-rails' or check Gemfile.lock.

📡 Detection & Monitoring

Log Indicators:

Unusual system commands in application logs
Errors from YAML parsing of cookie values
Failed command execution attempts

Network Indicators:

HTTP requests with specially crafted 'geo_location' cookie containing YAML payloads

SIEM Query:

source="application.log" AND ("!ruby/object" OR "!ruby/module" OR "system(" OR "exec(") AND cookie="geo_location"

📊 Metadata

CVE ID: CVE-2023-26153

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-78

Published: October 6, 2023

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/CalumHutton/b7aa1c2e71c8d4386463ac14f686901d Exploit,Third Party Advisory
https://github.com/geokit/geokit-rails/blob/master/lib/geokit-rails/ip_geocode_lookup.rb%23L37 Broken Link
https://github.com/geokit/geokit-rails/commit/7ffc5813e57f6f417987043e1039925fd0865c43 Patch
https://github.com/geokit/geokit-rails/commit/a93dfe49fb9aeae7164e2f8c4041450a04b5482f Patch
https://security.snyk.io/vuln/SNYK-RUBY-GEOKITRAILS-5920323 Exploit,Patch,Third Party Advisory
https://gist.github.com/CalumHutton/b7aa1c2e71c8d4386463ac14f686901d Exploit,Third Party Advisory
https://github.com/geokit/geokit-rails/blob/master/lib/geokit-rails/ip_geocode_lookup.rb%23L37 Broken Link
https://github.com/geokit/geokit-rails/commit/7ffc5813e57f6f417987043e1039925fd0865c43 Patch
https://github.com/geokit/geokit-rails/commit/a93dfe49fb9aeae7164e2f8c4041450a04b5482f Patch
https://security.snyk.io/vuln/SNYK-RUBY-GEOKITRAILS-5920323 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26153, you might also want to check these: