An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.
A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, an unknown number of which might have used the library, strong_password, in its infected version 0.0.7.
The discovery came about after Epion Health developer, Tute Costa, noticed something unusual when carefully updating a family of libraries used by his company’s dev to fix bugs and security vulnerabilities.
When he looked at the strong_password gem on RubyGems.org, he couldn’t locate a changelog explaining how it got to the updated version from 0.0.6, an event which happened on 25 June 2019.
The previous GitHub version had been updated in October 2018. Comparing the two versions, he noticed the mystery 0.0.7 version embedded a download link which:
Fetches and runs the code stored in a pastebin.com, only if running in production, with an empty exception handling that ignores any error it may raise.
The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.
Adding to this, the versions had been published by an empty account under a different name (probably the victim of a Pastebin account hijacking) to the official maintainer, Brian McManus, who replied to an email from Costa to say:
The gem seems to have been pulled out from under me… When I login to rubygems.org I don’t seem to have ownership now.
The latest issue is identified as CVE-2019-13354. The infected library has now been pulled and replaced with 0.0.8.
Part of a pattern
This wasn’t a speculative attack – somebody thought about what they were doing and set out to insert the backdoor in a way that might not be noticed straight away.
It also fits a troubling pattern of recent targeting of Ruby libraries, including the RCE discovered inside the Bootstrap-Sass Ruby library in April.
That hijacking was noticed even quicker than strong_password’s, but the sheer number of libraries used by RoR (and other development frameworks in the firing line) raises the issue of how much oversight is appropriate when new versions appear.
Luckily, on this occasion, a developer was paying attention. When it comes to security, sometimes someone noticing that something is awry is all that stands between a large community of developers and disaster.