Roll back now to protect against RCE vulnerability

UPDATED Ruby users are being urged to roll back to previous versions after a hijacked Ruby gem was found to allow remote code execution (RCE).

The vulnerability was discovered in the strong_password gem, version 0.0.7.

It was found by researcher Tute Costa during a routine manual review of Ruby gem dependencies, when he noticed that suspicious changes had been made.

Version 0.0.7 had been published on gem hosting service Rubygems.org, six months after the last release, but no source code changes had been published to the GitHub repository.

On further inspection, he realized that the gem contained malicious code that could be used to silently trigger RCE on an infected server.

Costa wrote that the attack injects “middleware that eval‘s cookies named with an ___id suffix, only in production, all surrounded by the empty exception handler _! function that’s defined in the hijacked gem, opening the door to silently executing remote code in production at the attacker’s will”.

He added: “It also sends a request to a controlled domain with an HTTP header informing the infected host URLs. It depends on the Faraday gem being loaded for the notification to work (which the oauth2 and stripe gems, for example, include).”

Costa contacted the original maintainer of strong_password who confirmed that he no longer had access to the gem.

It isn’t yet clear how the maintainer, Brian McManus, lost ownership of it.

Costa told The Daily Swig: “Brian was surprised that he didn’t have access to his gem anymore. Since then he activated 2-factor-auth in his RubyGems.org account (I don’t know since when does that website expose that option). That’s all I know about that.

“I want to stress the fact everyone responded pretty quickly. It’s VERY unfortunate that his account was somehow compromised, but after they noticed we did all we can to avoid further damage.”

He added: “Particularly, people who use bundle-audit in their test runs will see their test suite fail if they are using the compromised gem.

“People who don't use `bundle-audit’ won’t be able to reinstall that gem, as it’s yanked. But production installations that are not updated will have the exploit running.”

A user named bdmac97 posted on Hacker News: “As already hypothesized in the comments I’m pretty sure this was a simple account hijack. The kickball user likely cracked an old password of mine from before I was using 1password that was leaked from who knows which of the various breaches that have occurred over the years.

“I released that gem years ago and barely remembered even having a rubygems account since I’m not doing much OSS work these days. I simply forgot to rotate out that old password there as a result which is definitely my bad.”

The vulnerability was assigned as CVE-2019-13354.

A new version of strong_password is yet to be released. Anyone using this dependency has been advised to roll back to any version prior to 0.0.7.

This isn’t the first time that a Ruby gem library has been hijacked.

In April, a backdoor was discovered in the Bootstrap-Sass Ruby library after a maintainer’s credentials were allegedly compromised.

The RCE vulnerability was found by software developer Derek Barnes during a review of version 3.2.0.3. It is thought that a maintainer’s account details were compromised.

This issue has since been patched.

This article has been updated to include comment.


RELATED Ruby taken off the rails by deserialization exploit