CVE-2020-15134 in Faye
Summary
by MITRE
Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the `EM::Connection#start_tls` method in EventMachine to implement the TLS handshake whenever a `wss:` URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a valid and trusted TLS certificate for the expected hostname. That means that any `https:` or `wss:` connection made using these libraries is vulnerable to a man-in-the-middle attack, since it does not confirm the identity of the server it is connected to. The first request a Faye client makes is always sent via normal HTTP, but later messages may be sent via WebSocket. Therefore it is vulnerable to the same problem that these underlying libraries are, and we needed both libraries to support TLS verification before Faye could claim to do the same. Your client would still be insecure if its initial HTTPS request was verified, but later WebSocket connections were not. This is fixed in Faye v1.4.0, which enables verification by default. For further background information on this issue, please see the referenced GitHub Advisory.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/06/2020
CVE-2020-15134 represents a critical security vulnerability in the Faye messaging library affecting versions prior to 1.4.0, where the absence of proper TLS certificate validation creates significant exposure to man-in-the-middle attacks. This vulnerability stems from the underlying EventMachine libraries that Faye utilizes for its Ruby implementation, specifically through the em-http-request and faye-websocket components. The core technical flaw exists in the EM::Connection#start_tls method which is invoked when establishing secure connections using wss: URLs, as this method defaults to not performing certificate verification during the TLS handshake process. This default behavior violates fundamental security principles outlined in CWE-295 which specifically addresses "Improper Certificate Validation" and creates a dangerous attack surface where clients cannot confirm the authenticity of servers they connect to. The vulnerability manifests because Faye's client implementation relies on these insecure underlying libraries, making all https: and wss: connections susceptible to interception attacks where malicious actors can present fraudulent certificates without detection. The attack vector becomes particularly concerning given that Faye's connection pattern involves an initial HTTP request followed by potential WebSocket communication, meaning that even if the first connection appears secure, subsequent WebSocket connections may proceed without proper certificate validation.
The operational impact of this vulnerability extends beyond simple data interception to encompass complete session hijacking and data manipulation capabilities for attackers positioned between client and server. This weakness directly maps to ATT&CK technique T1573.002 which describes "Tunneling via Web Services" and represents a significant escalation path for adversaries seeking to compromise communication channels. The vulnerability affects organizations relying on Faye for real-time messaging systems, potentially exposing sensitive data exchanges, authentication tokens, and business-critical communications to unauthorized access. Security professionals must understand that this vulnerability represents a failure in the principle of least privilege and secure by default configurations, as the library does not enforce certificate validation unless explicitly configured to do so. The issue demonstrates how layered security dependencies can create unexpected vulnerabilities, where the security of a high-level application becomes compromised by weaknesses in underlying networking libraries. Organizations implementing Faye in production environments would have been unknowingly exposing their systems to attacks that could result in data breaches, privilege escalation, and unauthorized system access.
The mitigation strategy for CVE-2020-15134 requires immediate upgrading to Faye version 1.4.0 or later, which implements certificate verification by default and addresses the root cause in the underlying EventMachine libraries. This upgrade resolves the vulnerability by ensuring that all TLS handshakes properly validate server certificates against trusted certificate authorities and verify that presented certificates match the expected hostnames. Security teams should also conduct comprehensive audits of their Faye implementations to identify any remaining insecure configurations or custom code that might bypass the default security controls. The fix implemented in version 1.4.0 aligns with industry best practices for secure communication protocols and represents a fundamental improvement in the library's security posture. Organizations should consider implementing additional monitoring and alerting mechanisms to detect potential certificate validation failures or unusual connection patterns that might indicate ongoing attacks. This vulnerability underscores the importance of maintaining current security libraries and understanding the security implications of third-party dependencies, as the vulnerability could have been prevented through proper default security configurations that align with NIST SP 800-57 recommendations for cryptographic key management and secure communication protocols.