Code execution back door found in Ruby’s rest-client library
On August 19th, 2019 rest-client, a simple HTTP and REST client for Ruby, reported a new security threat. A maintainer’s RubyGem account was compromised and a malicious third party installed a code execution back door. The exploit affects versions greater than 1.6.10 and less than 1.7.0.rc1.
What happened?
GitHub user juskoljo raised an issue on the rest-client repository on Aug 19th. The user reviewed the differences between versions of the package and found that versions between 1.6.10 and 1.7.0.rc1 execute remote code hosted on pastebin.com and sends information to malicious site. Through this exploit, the attacker was able to gain the infected hosts’ URL, environment variables, and other sensitive information.
The issue thread on GitHub is worth a read. It is a chance to see how an open source security issue was addressed. The first comment mentions that a CVE was requested and the second comment mentions that corrupted version had been removed and the compromised maintainer account had been locked. Later in the thread there is a discussion on the merits of two factor authentication on RubyGem accounts.
It is important to note that that the compromised version is fairly old. rest-client is currently in 2.x.x series, so the exploited versions are a major update behind. However, given the realities of maintaining code, there are undoubtedly plenty of projects susceptible to the exploit.
What should I do now?
Users of the infected versions should upgrade as soon as possible. Version 1.7.0.rc1 includes a fix. You can use Snyk to determine whether you are using the vulnerable versions.
If you use our CLI, simply run $ snyk test in your project directory. You will get a print out of all the vulnerabilities in your dependencies, including any in rest-client
You can also test your project through our easy to use UI. Try it today.
I also encourage you to take a lesson from this exploit and enable two factor authentication for any account that allows it.
What can we learn?
This vulnerability illustrates the wisdom of enabling two factor authentication for your package manager account. In fact, security conscious maintainers should consider requiring it for those with push access.
Additionally, this vulnerability demonstrates why keeping relatively up to date with your dependencies’ release versions is a good idea. Auto-updating can be problematic as well, but it is clear that the attacker wanted to ‘fly under the radar’, so to speak, by targeting an older release.
A final lesson learned from this event is about acting fast to remediate this kind of problem. The problem may not impact a huge number of users but the impact to those users has the potential to be huge. It is important to get the word out, so that those users can address the problem as quickly as possible.
Hopefully this post can help spread the word. If you are concerned about whether you are using an infected version of rest-client, try Snyk today! By performing a Snyk test, you can find out if your project includes the infected rest-client versions and learn about any other known vulnerabilities that exist in your dependencies.
Malicious packages within popular open source repositories have become increasingly common. If you believe you found a potential malicious package, you can report this to Snyk via our open source packages disclosure policy: https://snyk.io/vulnerability-disclosure/
