Alert over RCE vulnerability

A newly discovered critical vulnerability in Slanger – an open source Pusher server implementation – has left hundreds of websites vulnerable to attacks unless they are promptly patched.

The remote code execution (RCE) vulnerability in Slanger 0.6.0 was uncovered by security researcher Pieter Hiele.

The flaw arises from the unsafe deserialization of Ruby objects, as Hiele explains in a technical blog post.

A patch is available on GitHub or as incorporated in RubyGems version 0.6.1.

Pusher offers libraries that facilitate the use of WebSockets (a server/client web communication technology) in a variety of programming languages. It enables functions such as subscribing and unsubscribing to public and private channels.

Hiele discovered that the vulnerable library has over 45,000 downloads on Rubygems.org before using the IoT search engine Shodan to identify approximately 200 vulnerable systems.

The security researcher went out of his way since his initial February discovery to notify affected hosts and asset holders, as well as in helping developers to code a fix before going public with his discovery on Monday, more than two weeks after patches were developed.

Ruby developer Karol Topolski praised Hiele for both his find and coordinated disclosure.

“I’d like to thank Pieter for reaching out to me in Feb and… giving a chance to patch before the vulnerability announcement,” Topolski said in a Twitter update this week.