Ruby and Rails to Get New Updates

Six vulnerabilities in the RubyGems package management system are now fixed and three in Rails framework
14 March 2019   449

There are corrective versions of the Ruby 2.6.2 and 2.5.4 programming language, which eliminate six vulnerabilities in the RubyGems package management system:

  • CVE-2019-8324: the ability to execute code when installing an untested package (an attacker can place the code on the gemspec and this code will be executed via a call to eval to ensure_loadable_spec at the verification stage before installation);
  • CVE-2019-8320: the ability to delete directories through manipulations with symbolic links when unpacking tar files;
  • CVE-2019-8321: the ability to substitute escape sequences through the handler Gem :: UserInteraction # verbose;
  • CVE-2019-8322: the ability to substitute escape sequences through the command "gem owner";
  • CVE-2019-8323: Ability to substitute escape sequences in the API handler (Gem :: GemcutterUtilities # with_response);
  • CVE-2019-8325: The ability to substitute escape sequences through error handlers (Gem :: CommandManager # run calls alert_error without escaping characters).

In addition, an update was provided to the Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2 framework. and 6.0.0.beta3 with the elimination of three vulnerabilities:

  • CVE-2019-5420 - potentially allows you to remotely execute your code on the server, when Rails is running in Development Mode. If there is information about the attacked application, you can predict the automatically generated mode token for developers, knowledge of which allows you to achieve the execution of your code;
  • CVE-2019-5418 is a vulnerability in the Action View that allows you to get the contents of arbitrary files from the server's file system by sending a specially crafted HTTP Accept header if the code in the "render file:" handler is present.
  • CVE-2019-5419 - DoS-vulnerability in Action View (MODULE / COMPONENT), allowing to achieve 100% load on the CPU through manipulations with the contents of the HTTP-header Accept;

Backdoor to be Found in Bootstrap-sass Ruby Gem

Backdoor has been added to the 3.2.0.3, published March 26 in the RubyGems repository and issue is resolved in release 3.2.0.4, proposed on April 3rd
05 April 2019   551

Backdoor (CVE-2019-10842) was detected in the popular Ruby-library bootstrap-sass (Bootstrap 3 option with Sass support), which has about 28 million downloads, allowing attackers to execute their code on servers running projects using bootstrap-sass . The backdoor has been added to release 3.2.0.3, published March 26 in the RubyGems repository. The issue is resolved in release 3.2.0.4, proposed on April 3rd.

The backdoor was hiddenly added to the lib/active-controller/middleware.rb, in which the code for calling eval appeared with the value passed through the cookie"___ cfduid =". For an attack, it was enough to send a request to the server, setting thecookie "___cfduid" and pass as an argument the commands encoded in Base64 format. The name of the cookie "___cfduid" was chosen for camouflage under thecookie "__cfduid", set by CDN Cloudflare and characterized by the presence of two underscores instead of three.

It is noteworthy that the malicious code was published only in the final package published in the RubyGems repository, but was not included in the source code in the Git repository. The source code of the library remained correct and did not arouse suspicion among developers, which underscores the importance of using repeatable builds and implementing a process to verify the compliance of published packages with reference sources. Apparently, the attack was carried out through the seizure of the account parameters to RubyGems from one of the two library maintainers (officially the leakage of account data has not yet been confirmed).

The attackers showed prudence and built the backdoor not into the latest 3.4.x branch, the latest release of which has more than 217,000 downloads, but as an update for the previous 3.2.x branch, relying on the fact that corrective update of dependency will not cause suspicion. A rough estimate of the 1670 repositories on GitHub use bootstrap-sass as a dependency and applications associated with these repositories can potentially be compromised. Developers are advised to trace the use of the bootstrap-sass library among indirect dependencies and check whether the automatic upgrade to the backdoor version has been performed. Judging by the statistics of the RubyGems package, the backdoor package was downloaded about 1,500 times.

Information about a possible backdoor was published in the bug tracking system a few hours after placing the problematic release 3.2.0.3, after which the maintainers removed the problematic release from RubyGems about an hour later and changed their login passwords, but did not take into account that the removed versions could remain for several days on the mirrors. On April 3, an additional release 3.2.0.4 was created, completely analogous to version 3.2.0.2, which made it possible to get rid of the version with backdoor without switching to a new branch 3.4.