Vulnerability Focus: Ruby

After traversing the National Vulnerability Database for compelling open source security flaws this past month, we have identified the Ruby gem strong_password version 0.0.7 and mini_magick version 4.9.4 to have extensively critical security issues. Read on and spread the word about them with your application security community!

Meterian focuses on critical Ruby vulnerabilities this month. .

CVE-2019-13354

CVE-2019-13354 Ruby strong_password gem 0.0.7 is untrustworthy.

Vulnerability Score: Critical — 9.8 (CVSS v3.0)

Platform: Ruby

Affected versions: strong_password gem 0.0.6

Amber alert! A major vulnerability was found in the RubyGems repository earlier this month – the strong_password gem 0.0.6 was  hijacked, and the compromised version 0.0.7 was found to contain a security flaw, in which a code-execution backdoor has been installed to potentially give third-party attackers the ability to trigger arbitrary code execution (ACE) over the network.

In lay man’s terms, this simply translates to a stealthy backdoor which provides third-party attackers with complete remote access of the server of the Ruby application for which this gem has been installed; opportunistic attackers are then able to send malicious code to the command-and-control servers of the compromised system to execute a range of functions including Denial of Service (DoS) and privilege escalation (e.g. data exfiltration, password dumping).

This open-source security risk was identified by Tute Costa – he was performing a due diligence scanning for anomalies in the library’s changeset of the 25 gems he had upgraded for his Rails app project after realising he could not locate a changelog.md (a file logging all descriptions of changes for each version of an updated gem – think how Microsoft Word or Google Drive saves changes of edits made to documents) for strong_password 0.0.6 gem before it made its upgrade to version 0.0.7. He could not find the code for the updated version 0.0.7 of the strong_password gem and this discrepancy prompted Costa to cross-compare contents of the gem within his  rails app with that of the latest copy in Github.

This was where he discovered the updated version 0.0.7 gem does not belong to the original owner of the strong-password gem, but rather a pseudo account. He then dived into the code and figured out that new tweaks to the updated code for version 0.0.7 creates a loop within a new thread which fetches and executes code stored in a pastebin.com, but with an empty exception handler that ignores any error it potentially raises – this gives attackers remote code-execution (RCE) control  of the system as it will be able to bypass any error registered.

This strong_password gem is an entropy-based password strength checking installation for Ruby and ActiveModel. The previous version (0.0.6) had 39,955 downloads, whereas the compromised version 0.0.7, published on 25th June, raked in a total of 537 installations within three days before it was eventually yanked down on 28th June. Had this security flaw gone undetected and had these gem users decide to perform a bundle update on their APIs, over 30,000 web applications, libraries, servers, and system utilities could have been exposed to open-source security risks.

CVE-2019-13574

CVE-2019-13574  Ruby mini_magick version 4.9.4 has backdoor access to unwanted app server crashers. 

Vulnerability Score: Critical — 7.8 High (CVSS v3.0)

Platform: Ruby

Affected versions: mini_magick version 4.9.4

My oh my. Ruby open source gems are not looking too hot for application security this month! Harsh Jaiswal discovered a remote shell execution vulnerability  in mini_magick – a Ruby library interface that acts as a buffer between the ImageMagick / GraphicsMagick programs and your Ruby code by providing you with the tools and resources to transform and customize images for Ruby applications that is exploitable when using MiniMagick::Image.open with specially crafted URLs originating from unsanitised user input.

Similar to the aforementioned case of the strong_password gem, the vulnerability within this mini_magick gem allows attackers to perform arbitrary code execution (ACE) on servers; it essentially opens the path to access the image in ib/mini_magick/image.rb in the pre-4.9.4 version of the mini_magick gem. The image.open input (aka path to image) is passed to Kernel.open, which functions to accept the ‘|’ (pipe) character followed by a command. This use of Kernel.open represents a serious security risk as the pipe (‘|’) is a character that allows chain commands in the Linux terminal, which means the result of a single command could have further-reaching consequences. Therefore, when installed on an application, this compromised mini_magick version could open the door to  highly risky remote code execution on the hosting server.

This flawed version was downloaded over a million times, suggesting a large potential scale of impact for C2 backdoor attacks. Although a patch has been applied to version 4.9.4 of mini_magick, we believe the expansive list of gems using this flawed version means many developers and organisations might not be aware they have installed mini_magick due to the nature and ubiquity of open source work. Even if these gems do not necessarily use mini_magick in a way that exposes the program to the vulnerability, it is still well-advised to install the updated version of mini_magick 4.9.4 without the erroneous code

So there you have it! Go right on ahead to perform an update to secure your applications and software programs if they use these Ruby gems – you know it would give you peace of mind!

Alas, these 2 identified vulnerabilities are just two needles in a haystack; open source code can typically make up to 90% of most software programs, and this resulting pervasiveness of open source vulnerabilities means new security flaws are popping up like hotcakes. To better equip for your combat against exploitation by third-party attacks, it would be prudent to conscientiously scan for vulnerabilities in your software.

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Ruby

Meterian “Life and Hacks of Open Source” Prize Draw

Following yesterday’s event at IDEALondon over in Shoreditch, London, we’re pleased to announce the launch of our new website scanner and prize draw.

Draw Period: July 10 – July 17, 2019

Prize: A bundle consisting of £100 Amazon.co.uk eGift Voucher, a 1-hour in-person consultation with Meterian, 10% lifetime discount to Meterian cloud-based annual subscription product from Startup, Bootstrap, and Enterprise plans.

Eligibility Criteria: Prize Draw entrants must register their email and contact information on Meterian’s website at https://www.meterian.io/webscanner.html during the Draw Period. Only 1 winner will be selected.

Read on for detailed terms.  Happy scanning!

Meterian “Life and Hacks of Open Source” Prize Draw Terms

  1. We shall specify the opening and closing dates of each prize draw (“Draw Period”).  
  2. There will be one winner per Draw Period who will win a prize for registering on Meterian’s website at https://www.meterian.io/webscanner.html during the Draw Period. We reserve the right to reclaim any prize where a participant makes false claims to identity and affiliation with the company they register on the website.
  3. The prize is a bundle consisting of £100 Amazon.co.uk eGift Voucher, a 1-hour in-person consultation with Meterian, 10% lifetime discount to Meterian’s cloud-based annual subscription product from Startup, Bootstrap, and Enterprise plans.
  4. Prizes will be awarded to entries picked at random by computer or an independent person within 7 working days after the closing date. Each winner will be contacted by telephone, post or email within 21 days of the Prize Draw closing, and be sent their prize by post no later than 90 days after the Prize Draw Date. If a winner for a Prize Draw cannot be contacted using reasonable efforts within 10 days from the Prize Draw date for that Draw Period, then an alternative winner will be drawn from the entries for that Draw Period.
  5. There is no cash alternative to the prize. We reserve the right to award an alternative prize of equal or greater value, should the advertised prize or any part of it become unavailable. The result of the Prize Draw is final. No correspondence will be entered into. The name and county of each winner will be available on request by sending a stamp addressed envelope to Customer Service, Meterian Ltd., 196 Freston Road, London W10 6TT, United Kingdom and may be posted online.
  6. Each winner may be required to participate in reasonable press or PR activity related to the prize draw as notified by Meterian Ltd.  
  7. We reserve the right to cancel or amend the prize draw or these rules at any time without prior notice, with no liability to any entrants.
  8. We can accept no responsibility for entries which fail to be properly submitted for any technical reason whatsoever, and we will reject entries submitted by any other means.
  9. Additional terms:
    1. Each winner must be a UK resident.
    2. The prizes are as stated, not redeemable for cash or other products and are not transferable. Each prize can only be claimed by the winner.
    3. If the prize package is not claimed by 90 days after the prize draw, the prize will be forfeited.
    4. We endeavour to run the competition as stipulated, including the closing date of 11:59pm on last date of Draw Period.
    5. The winners will be communicated via the email used to submit their entry shortly after the completion closing date.
    6. Acceptance of these terms and conditions is a condition of entry and the entry instructions form part of these terms and conditions. By entering into the competition, you agree to be bound by these terms and conditions.
    7. The Promoter (Meterian) reserves the right, at its sole discretion, to exclude you from the competition if you do not comply with these terms and conditions.
    8. Internet or Wi-Fi access is required.
    9. If unable to physically attend the consultation, then the consultation will be conducted via Skype and will only be 1 hour long.
    10. No purchase necessary.
    11. The Promoter’s decision will be final and binding and no correspondence will be entered into.
    12. The Promoter reserves the right to change, alter or withdraw the competition at any time.
    13. This Competition is in no way sponsored, endorsed or administered by, or associated with, Twitter, Facebook, Instagram, LinkedIn or any UK registered charity.
  10. If any of these terms and conditions are found to be void or unenforceable, that term shall be deemed to be deleted and the remaining terms and conditions shall continue in full force and effect.
  11. These terms and conditions shall be governed and construed in accordance with the laws of England and Wales. Any dispute arising is subject to the non-exclusive jurisdiction of the courts of England and Wales.
Meterian “Life and Hacks of Open Source” Prize Draw