We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityVulnerabilities

Code execution back door found in Ruby’s rest-client library

Hayley DenbraverAugust 21, 2019

On August 19th, 2019 rest-client, a simple HTTP and REST client for Ruby, reported a new security threat. A maintainer’s RubyGem account was compromised and a malicious third party installed a code execution back door. The exploit affects versions greater than 1.6.10 and less than 1.7.0.rc1.

What happened?

GitHub user juskoljo raised an issue on the rest-client repository on Aug 19th. The user reviewed the differences between versions of the package and found that versions between 1.6.10 and 1.7.0.rc1 execute remote code hosted on pastebin.com and sends information to malicious site. Through this exploit, the attacker was able to gain the infected hosts’ URL, environment variables, and other sensitive information.

The issue thread on GitHub is worth a read. It is a chance to see how an open source security issue was addressed. The first comment mentions that a CVE was requested and the second comment mentions that corrupted version had been removed and the compromised maintainer account had been locked. Later in the thread there is a discussion on the merits of two factor authentication on RubyGem accounts.

It is important to note that that the compromised version is fairly old. rest-client is currently in 2.x.x series, so the exploited versions are a major update behind. However, given the realities of maintaining code, there are undoubtedly plenty of projects susceptible to the exploit.

What should I do now?

Users of the infected versions should upgrade as soon as possible. Version 1.7.0.rc1 includes a fix. You can use Snyk to determine whether you are using the vulnerable versions.

If you use our CLI, simply run $ snyk test in your project directory. You will get a print out of all the vulnerabilities in your dependencies, including any in rest-client

You can also test your project through our easy to use UI. Try it today.

I also encourage you to take a lesson from this exploit and enable two factor authentication for any account that allows it.

What can we learn?

This vulnerability illustrates the wisdom of enabling two factor authentication for your package manager account. In fact, security conscious maintainers should consider requiring it for those with push access.

Additionally, this vulnerability demonstrates why keeping relatively up to date with your dependencies’ release versions is a good idea. Auto-updating can be problematic as well, but it is clear that the attacker wanted to ‘fly under the radar’, so to speak, by targeting an older release.

A final lesson learned from this event is about acting fast to remediate this kind of problem. The problem may not impact a huge number of users but the impact to those users has the potential to be huge. It is important to get the word out, so that those users can address the problem as quickly as possible.

Hopefully this post can help spread the word. If you are concerned about whether you are using an infected version of rest-client, try Snyk today! By performing a Snyk test, you can find out if your project includes the infected rest-client versions and learn about any other known vulnerabilities that exist in your dependencies.

Malicious packages within popular open source repositories have become increasingly common. If you believe you found a potential malicious package, you can report this to Snyk via our open source packages disclosure policy: https://snyk.io/vulnerability-disclosure/

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom