Ruby users who updated with strong_password gem version 0.0.7 are urged to roll back to the previous versions after a developer discovered the malicious code in the gem.
The developer named Tute Costa who noticed the inclusion of backdoor while performing regular security audits. He spotted the changes with strong_password on gem hosting service, but not with any branch in GitHub.
“It appeared to have gone from 0.0.6 to 0.0.7, yet the last change in any branch in GitHub was from 6 months ago, and we were up to date with those.”The Strong_password is gem used by developers to check the password strength of the apps.
He further downloaded the gem from Rubygems and compared to the copy in GitHub, following code was added with the latest version and change was appended from a different account than the maintainer’s one.
def !;begin;yield;rescue Exception;end;end
According to the code, it appears attackers use Pastebin to download the secondary payload, the code runs only if it is running in a production environment with an empty exception.
The attack also injects a middleware that “eval‘s cookies named with an __id suffix, only in production, all surrounded by the empty exception handler! a function that’s defined in the hijacked gem.”
The vulnerability has been assigned with CVE identifier CVE-2019-13354. A newer version 0.0.8 of ruby gem with the clean code is released and the details can be seen from the official page of RubyGems.