Treasure your Ruby apps? Protect from unauthorised access immediately

5min read

Image of thief climbing out of laptop shining flashlight on Ruby icon, titled Vulnerability Focus: Ruby.

It’s that time of the week people. Meterian is back with information on a brand new set of vulnerabilities! We once again turn our heads to focus on two Ruby vulnerabilities. The first being found within the Ruby makandra consul gem, and the second being located within the Airbrake Ruby notifier 4.2.3. Both these open-source vulnerabilities are given a 9.8 severity score on NVD, so don’t waste any time –  read up, you could be affected!

  • CVE-2019-16377 The Ruby makandra consul gem for all versions prior to and including 1.0.2 has an Incorrect Access Control vulnerability. This can lead to unauthenticated access to certain controller actions.
  • CVE-2019-16060 The Airbrake Ruby notifier version 4.2.3 mishandles the blacklist_keys configuration option and may therefore may therefore disclose passwords to unauthorized actors.

CVE-2019-16377

Vulnerability Score: 9.8

Platform: Ruby

Component: consul gem

Affected Versions: <= 1.0.2

Yes, you heard right. A vulnerability has indeed been detected within the Ruby makandra consul gem for all versions prior to and including 1.0.2. It was discovered by Toby Craze (github id:kratob) on 23/09/19. We are afraid to be the bearer of bad news, but this serious security flaw will affect an unknown function of the component Access Control.

A little context: makandra has been working exclusively with Ruby on Rails since 2007. They are a team of Ruby developers and Linux system engineers based in Germany. Makandra are constantly using open-source software and security patches are applied to the systems they use on a weekly basis. During this time, it has successfully delivered more than 100 Rails projects on more than 90 servers, indicating the amount of users that are at risk of this security flaw. This security issue is located within the consul. For those who don’t know, the consul gem is an authorisation solution for Ruby on Rails and it uses scopes to control what a user can see or edit.

So what is the problem? When a controller has multiple power directives, the ‘:only’ and ‘:except’ of the last directive is applied to all directives. By sending a specially-crafted request, this can lead to an attacker gaining unauthorized access to certain controller actions. With the manipulation of an unknown input, comes a privilege escalation vulnerability. Unfortunately, the impact is negative on confidentiality, integrity and availability. Below is what the affected code would look like.

https://github.com/makandra/consul/issues/49

In this example of code, the powers ‘:foo’ and ‘:bar’ are only checked for the #index action. The other actions were left unprotected by powers checks.

The solution is simple. Upgrade to the latest version of the makandra consul gem (1.0.3. or later), which is available from the consul GIT Repository. or via rubygems. Act fast to get rid of this security bug from your codebases and apps! You could be affected!

CVE-2019-16060

Vulnerability Score: 9.8

Platform: Ruby

Component: airbrake-ruby gem

Affected Versions: 4.2.3

Attention Ruby users! The Airbrake Ruby notifier 4.2.3 has mishandled the blacklist_keys configuration option which could result in a very real threat of sensitive data being disclosed to unauthorized actors (e.g password or credentials dumping). What are blacklist_keys? This specifies which keys in the payload should be filtered. Before sending an error, filtered keys will be substituted with the [Filtered] label.

Image of computer, displaying a undisclosed User Name and Password credentials. They are being fished with by a hook. This symbolises the access to sensitive data.
Image from https://www.howtogeek.com/343947/how-to-check-if-your-password-has-been-stolen/

Airbrake is a plain Ruby notifier gem that is used for integrating apps with Airbrake; it is the leading exception reporting service which provides minimalist API, enabling the notifier to send any Ruby exception to the Airbrake dashboard.  An exception is an event occurring during the execution of a program that disrupts the normal flow of the program’s instructions.  When an uncaught exception occurs, Airbrake could potentially release data to the Airbrake server.

The Airbrake dashboard provides easy categorization, searching, and prioritization of exceptions so that when errors occur, your team can quickly determine the root cause – this allows users to easily review errors, tie an error to an individual piece of code, and trace the cause back to recent changes.

So, what is the problem you say? A data-breach vulnerability–this is due to the mishandling of the blacklist_keys configuration option–within Airbrake Ruby 4.2.3 prevents user data from being filtered prior to sending to Airbrake. In other words, the vulnerability allows a remote attacker to access sensitive information on a targeted system. This compromised data could be user passwords or card payment details, which means an app could leak them  unknowingly; if left untreated, this could very well be the fatal zero-day vulnerability for a business or organization. 

To fix this vulnerability, users must upgrade to 4.2.4 or after. But hurry, as you might be at risk of attackers leaking important confidential data!

That is it for this round folks! Make sure to spread the word on these critically-rated Ruby vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so you can expect us to be back with new vulnerabilities very soon!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously. Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Treasure your Ruby apps? Protect from unauthorised access immediately

Vulnerability Focus: PHP

5min read

Image of thief climbing out of laptop shining flashlight on PHP icon, titled Vulnerability Focus: PHP.

Listen up, app sec community – Meterian has an exciting update! We have a new addition to our family of languages for which our vulnerability scanning solution operates on. Drumroll please… it’s PHP. This means another layer of defense for your apps’ open-source dependencies to  shield them against malicious exploits. To commemorate this special day, we have written on 2 high-priority PHP vulnerabilities which will undoubtedly make an interesting read!

  • CVE-2019-9081 A vulnerability in the Illuminate component of Laravel Framework 5.7.x. could result in a remote cyber attack impacting confidentiality, integrity and availability in the process of web development.
  • CVE-2019-14933 A CSRF vulnerability in the Bagisto framework v0.1.5 could lead to attackers removing or manipulating important functionalities which will cause mass denial of services within an application.

CVE-2019-9081 

Vulnerability Score: Critical––9.8 (CVSS v3.0)

Platform: PHP

Component: laravel/laravel

Affected versions: 5.7.0 – 5.7.27

Attention to all PHP programmers! Read up, this is important stuff. On the 24/02/19, a vulnerability was found in the Illuminate component of Laravel Framework 5.7.x., a PHP development framework based on PHP 7.1.3. The severity of the threat is understood when seeing that 107,933 live websites use Laravel. It is also said to be the most popular web app category in the United Kingdom. This demonstrates the scale of potentially affected users, and why action needs to be taken quickly to avoid security flaws. 

A graph depicting the rise in Laravel Usage Statistics. The statistics range from the years 2013-2019.
Laravel Usage Statistics: https://trends.builtwith.com/framework/Laravel

The vulnerability is related to the __destruct method of the PendingCommand class in PendingCommand.php. It is a deserialization RCE (Remote Code Execution) vulnerability originating from a laravel core package and has shown to be triggered as long as the deserialized content is controllable. The access vector was through the network.

So what is the threat? In regards to CWE-502, when developers place restrictions on ‘gadget chains’ and method invocations that can self-execute during the deserialization process, this can allow attackers to leverage them to make unauthorized actions. For example, generating a shell. Manipulation with an unknown input leads to a privilege escalation vulnerability (code execution). Therefore, this vulnerability could have a negative impact on confidentiality, integrity and availability. Even worse, an attack can be initiated remotely with no form of authentication needed for exploitation. 

It is suggested to upgrade the laravel framework to version 5.7.27 or higher as soon as possible. So don’t waste any time! Or risk being vulnerable to potential cyber attacks!

CVE-2019-14933

Vulnerability Score: High — 8.8 (CVSS v3.0)

Platform: PHP

Component: bagisto

Affected versions: 0.1.5

Bagisto is a tailored e-commerce framework designed on some of the hottest open-source technologies such as Laravel, a PHP framework.  It cuts down on the resources needed to deploy an e-commerce platform (i.e. building online stores or migrating from physical stores). 

Alas, we regret to be the bearer of bad news. Version 0.1.5 of Bagisto has been found to contain a cross-site request forgery (CSRF) vulnerability which could result in client side manipulation that forces end users to execute unwarranted commands on a web application for which they are currently authenticated.  It should be noted that this compromised version allows for CSRF attacks under certain conditions, such as admin Uniform Resource Identifiers (URIs).  This CSRF vulnerability manipulates authenticated users’ browsers to send forged HTTP requests, including cookie sessions to exposed web applications. 

Here is some background information on the nature of CSRF attacks. Unlike remote code execution or command injection attacks, CSRF attacks specifically target state-changing requests as opposed to misappropriation of restricted data. Nonetheless, unauthorised state-changing requests can be equally bad; with the help of social engineering tactics (i.e. sending unwarranted links via email or chat support), attackers may trick end users into executing unsanctioned commands of the attackers’ choice. A successful CSRF attack could lead to vexing situations whereby attackers coerce end users into performing fund transfers, email address changes, and so forth. Furthermore, CSRF attacks can go as far as compromising entire web application systems upon gaining access to an administrator account.

In this context, hackers can trick end users by sending requests (i.e phishing emails) to lure them to open and display some apparently innocuous content in a new tab on the browser, which in turn, prompts it to execute the hidden malicious script, than can operate on behalf of the user.

This is a graphic illustrating the play-by-plat on how attackers can exploit the vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform.
How attackers can exploit Bagisto open-source vulnerability

 The graphic above illustrates the play-by-play on how attackers can exploit this vulnerability to perform CSRF and remove important functionalities, which could lead to denial of services and loss of data on an e-commerce platform. 

In Step 1, the user first logs into the Bagisto admin page panel and subsequently  accesses a seemingly innocuous website on another tab in the user’s browser. This website contains a malignant script (placed by the hacker), and the action of accessing this tab will lead to Step 3 where the script will be executed; the browser is instructed by said script to perform any possible harmful action on behalf of the user in Step 3. This course of user action culminates in Step 4 with the server executing the requested malicious actions, such as deleting data on the admin panel.

Nonetheless, affected users will be glad to know that all versions of Bagisto following v0.1.5 are untouched by this CSRF vulnerability. So, there you have it – update your application to the latest version of the Bagisto framework at the soonest to avoid further exposure!

Spread the word on these vulnerabilities and their fixes to help us improve application security all-around. In any case, you can certainly expect more engaging reads on PHP in the near future. Until then!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: PHP

Vulnerability Focus: Command Injection

5min read

Image of thief climbing out of laptop shining flashlight on ruby, java icons with a syringe, titled Vulnerability Focus: Command Injection

At attention, app sec community! It has been an exciting past couple of weeks, and we have got some juicy vulnerabilities to dish on. From Apache commons to the extensively-used Nokogiri library,  we will shed light on two compelling command injection vulnerabilities that rank highly on the common vulnerability scoring system (CVSS). Read along and spread the word to help combat against open source vulnerabilities.

  • CVE-2019-10086 The SuppressPropertiesBeanIntrospector class in versions before 1.9.4 of BeanUtils in Apache commons was not enabled by default

  • CVE-2019-5477 An inherent flaw in the Ruby Rexical gem v.1.0.6 or earlier, due to improper neutralization of special elements, resulted in a command injection vulnerability in the Nokogiri gem

CVE-2019-10086

Vulnerability Score: High — 7.3 (CVSS v3.0)

Platform: Java

Component: commons-beanutils

Affected versions: 1.9.3 and earlier

Take heed, all you Java programmers: a vulnerability has been located within Apache commons,  a provider of reusable open source Java component. There lies an arbitrary code vulnerability in the BeanUtils component, a set of utilities used for manipulation of JavaBeans code.

Within the BeanUtils component, there are several class types, or PropertyUtils beans, that  support mechanisms for dynamically defining and accessing bean properties (i.e. Bean Introspection) – these sets of utilities that assist in getting and setting property values on Java classes utilise the BeanIntrospector interface for components that can perform introspection on bean classes. 

Class TypeDescription
DefaultBeanIntrospectorThe default BeanIntrospector implementation

FluentPropertyBeanIntrospector
An implementation which detects write methods for properties used in fluent API scenario
SuppressPropertiesBeanIntrospector**A specialized BeanIntrospector implementation which suppresses some properties.

Example of class types and their functions
** highlights affected component in this CVE incident

In the context of this security flaw, the vulnerability originates from the SuppressPropertiesBeanIntrospector class type. This BeanIntrospector class type  is a standard implementation within a BeanUtils component which suppresses the ability for malicious attackers  to circumvent class properties of Java objects to gain access to the classloader. However, this safeguard mechanism against third-party exploitations of Java objects, was not enabled by default for version 1.9.2 – 1.9.3 of BeanUtils. 

This thereby allows attackers to manipulate classloaders and remotely execute arbitrary commands via class parameter, which would be detrimental to application security. Cyber attackers could potentially take advantage of this command injection loophole to inject malignant code into an application system through cross-site scripting (XSS), cross-site request forgery (XSRF), or drive-by attacks – this would then result in security breaches and a whole slew of inconvenience for organizations using  compromised versions of this BeanUtils component.

Affected users would be relieved to know that the fix for this vulnerability, version 1.9.4 of BeanUtils, has since been published. The security patch for apache-commons-beanutils has fixed the security flaw by adding a special BeanIntrospector class; this class type comprehensively suppresses the ability for any third party to access the classloader through the outmanoeuvring of class properties available on all Java objects – we can declare with utmost confidence that the updated BeanUtils bean prohibits all class level property access by default.

At the risk of sounding like a broken record, application systems that are using versions before 1.9.4 of the BeanUtils component ought to migrate to the latest version at the soonest. Don’t say you haven’t been warned!

CVE-2019-5477

Vulnerability Score: Critical — 9.8 (CVSS v3.0)

Platform: Ruby

Components: Rexical, Nokogiri

Affected versions: Rexical: 1.0.6 and earlier, Nokogiri: 1.10.3 and earlier

Mayday. I repeat, Mayday. Ruby users – watch out! A critical open-source security flaw has been located in Nokogiri, an open-source software library used to parse HTML and XML in Ruby. To provide some contextual information about its popularity, Nokogiri is indisputably one of the most downloaded Ruby gems – it has been downloaded over 240 million times from the rubygems.org. This translates into a potentially vast network of compromised users – it would be prudent for affected parties to understand the type of security flaw they are dealing with.

In versions Nokogiri 1.10.3 or earlier, a command injection vulnerability allows attackers to alter dynamically generated content on a web page by inserting HTML code into input mechanisms that lack effective validation constraints. These commands are then executed in a subprocess via the kernel#open method, which renders an application vulnerable to remote code execution due to improper neutralization of special elements used in a command injection.

This is due to the core functionality of the kernel#open method. When instructed with a file path (defaulting with ‘r’) , it treats the script as the name of a file to open using the specified mode; but when the file path starts with a pipe character ‘I’, it interprets it as a shell command and returns an IO class linked to the subprocess.  In the context of this Nokogiri security flaw, these subprocesses are only exposed if the (undocumented) kernel#open method “Nokogiri::CSS:: Tokenizer#load_file” is executed with unvalidated user input in its filename.

This particular vulnerability exposure appears in the codework generated by Rexical gem versions 1.0.6 or earlier. The Rexical gem facilitates the Nokogiri library in generating a lexical scanner code that is used to parse CSS queries. In any case, the app sec community would be reassured to know that  a patch which addresses this key vulnerability has been released as Rexical v1.0.7. And on an equally heartening note, Nokogiri has also performed an upgrade (i.e. Nokogiri v.1.10.4) to implement the latest patch for the Rexical gem in their library.

Now that you are all caught up on these CVEs, we hope this little piece of enlightenment would have made you more aware of the rampantness of open source vulnerabilities!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Command Injection

Vulnerability Focus: Java

Attention, fellow AppSec comrades! This blog post shines a spotlight on open source vulnerabilities in the Java universe. In particular, it has come to our awareness that the jackson-databind serialisation library, which parses Java objects to JSON and vice versa, has taken big hits over the past few weeks. To better enlighten our readers, we took an in-depth look into the origins of its (de)serialisation flaws.

  • CVE-2019-12384 A flaw in the serialisation process of FasterXML jackson-databind 2.x before 2.9.9.1  could lead to remote code execution. Read why
  • CVE-2019-14379 Hackers could exploit an invalid object-class for pre-2.9.9.2 versions of jackson-databind to gain remote access and control. Read why

CVE-2019-12384

Vulnerability Score: 5.9

Platform: Java

Component: jackson-databind 

Affected versions: FasterXML jackson-databind 2.x before 2.9.9.1 

Here is an interesting one! An open source vulnerability has been found in Jackson, more specifically in jackson-databind. Jackson is a widely-used Java-based library that supports serialization of Java Objects to JSON to enable objects to travel across a network.

A little befuddled? Think of two machines that speak entirely different mother tongues, and decisively pick up another shared language to enable seamless communication between each other. In this context, the act of translating the additional language stands in for the serialization process, whereby the translation process parses the mother tongue (Java Objects) of first machine (X) to a common language (JSON) that is also understood by the second machine (Y).

The root of this vulnerability is that jackson-databind, under certain conditions, blindly deserializes everything in its path. This then gives rise to exploitation opportunities for malicious third-party attackers to substitute valid object-classes with unvalidated ones. As a result, this then enables these hackers  to send specifically crafted JSON messages which could then lead to privilege escalation issues and arbitrary code execution  (ACE) attacks.

Although patches for this security flaw have been published for various softwares (RedHat, Debian 8 ‘Jessie’),  these solutions are not sustainable fix-alls. The existing solution for this vulnerability is essentially manually blacklisting invalid object-classes that can easily be exploited by third-party attackers. Nonetheless, unvalidated object-classes are popping up like hotcakes, and the maintainers of said blacklist are playing a risky game of whack-a-mole, and it is just too time-consuming to continuously add exploitable classes to a list.

Nonetheless, until a more comprehensive solution has been discovered to effectively combat against these loopholes, you had better perform an update on your jackson-databind library to ensure you are well-protected against the blacklisted attack vectors and such known vulnerabilities!

To find out more about jackson-databind exploits, click here.

CVE-2019-14379

Vulnerability Score: TBD

Component: jackson-databind

Affected versions:  2.x versions before  2.9.9.2 

Here’s another testament to the inefficiency of the blacklist measure to protect users of jackson-databind against arbitrary code execution attacks – another invalid object-class, the SubTypeValidator.java, has yet again appeared on our radar.

As explained under the aforementioned Jackson vulnerability that affected FasterXML jackson-databind versions 2.x (all versions up to 2.9.9), this data-binding library has the potential to deserialize any object-classes in its path under certain conditions. This is a result of default-typing which allows jackson-databind users to  deserialize object-classes without specifying the full possible type hierarchy. And herein the default-typing feature lies the flaw of this open source vulnerability.

In this context, where the security flaw affects the more recent version FasterXML jackson-databind 2.9.9.2, remote code execution could be triggered if a hacker inputs the unsanitized SubTypeValidator.java object-class under the default-typing mechanism, when it is used in conjunction with Ecache (Java’s most widely-used cache).

This could potentially result in security breaches  where hackers are able to send specific and malicious JSON messages resulting in unauthorised root access and control. We strongly advise that you upgrade to version 2.9.9.2 or higher at the soonest!

With jackson-databind being a highly popular serialisation gadget in the DevOps community, such exposures should be effectively nipped in the bud to prevent further compromises to its library, as well as waste of resources rolling out patched updates on every vulnerable version. A frequent user of jackson-databind? What are you waiting for?

Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Java

Vulnerability Focus: .NET

Image of thief climbing out of laptop shining flashlight on .net icon, titled Vulnerability Focus: .NET

In the wake of the massive Capital One data breach incited by a misconfigured web app firewall, we are throwing in a .NET open source library vulnerability that demonstrates the pervasiveness of privilege escalation attacks across web apps for good measure.

CVE-2019-1010199

Vulnerability Score: Medium — 6.1 (CVSS v3.0)

Platform: .NET 

Component: ServiceStack 

Affected versions: 4.5.14

It is a perilous time for ServiceStack users, a widely-used .NET based library.
The problem lies with the ServiceStack ecosystem, where a JavaScript-based Cross-Site Scripting (XSS) vulnerability could allow attackers to inject client-side code or scripts into web browsers viewed by other users. This means that said script is activated when it is read by an unsuspecting user’s web browser or web application. The web page or application then acts as an attack vector that delivers the malicious script to the user’s browser.

A web page or application is made vulnerable to XSS if it executes unsanitized user input for web servers to generate output – this user input must then be parsed by the victim’s browser to potentially compromise the system. We will note that though XSS attacks are possible across many languages (e.g. VBScript, ActiveX, Flash, CSS), they are, however, most common in JavaScript (as with this vulnerability) as this language is most commonly used as a client-side scripting language to support a bulk of web browsing experiences. 

In the context of this vulnerability within ServiceStack Framework 4.5.14, the flawed component is the query code used to execute the GET request. And with the web browser’s lack of server-side validation serving as the attack vector, this means that browser encoding is bypassed which could then compromise unsuspecting users’ browsers upon opening a crafted URL. The resulting impact is that a potentially malicious JavaScript code (aka unsanitized user input) would be reflected in the server response during execution for web browser output generation.

Such cross-site scripting vulnerabilities are often used by attackers for privilege escalation issues, especially to bypass access controls when two web pages are of the same origin (i.e. two URLs sharing the same protocol, port (if specified), and host).

This unauthorised access could then lead to security breaches such as data theft and password dumping. It is thus imperative that affected frameworks immediately download the patched version in 5.2 or later to avoid sensitive data violations.

With JavaScript being a key programming language that supports web development, it is imperative that we keep our guard up against unwanted intrusions to ensure seamless and secure provision of web services. We certainly hope this detailed analysis of this .NET vulnerability has galvanized you into taking active measures to avoid systemic data breaches. Until next time!

Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: .NET

Vulnerability Focus: Ruby

After traversing the National Vulnerability Database for compelling open source security flaws this past month, we have identified the Ruby gem strong_password version 0.0.7 and mini_magick version 4.9.4 to have extensively critical security issues. Read on and spread the word about them with your application security community!

Meterian focuses on critical Ruby vulnerabilities this month. .

CVE-2019-13354

CVE-2019-13354 Ruby strong_password gem 0.0.7 is untrustworthy.

Vulnerability Score: Critical — 9.8 (CVSS v3.0)

Platform: Ruby

Affected versions: strong_password gem 0.0.6

Amber alert! A major vulnerability was found in the RubyGems repository earlier this month – the strong_password gem 0.0.6 was  hijacked, and the compromised version 0.0.7 was found to contain a security flaw, in which a code-execution backdoor has been installed to potentially give third-party attackers the ability to trigger arbitrary code execution (ACE) over the network.

In lay man’s terms, this simply translates to a stealthy backdoor which provides third-party attackers with complete remote access of the server of the Ruby application for which this gem has been installed; opportunistic attackers are then able to send malicious code to the command-and-control servers of the compromised system to execute a range of functions including Denial of Service (DoS) and privilege escalation (e.g. data exfiltration, password dumping).

This open-source security risk was identified by Tute Costa – he was performing a due diligence scanning for anomalies in the library’s changeset of the 25 gems he had upgraded for his Rails app project after realising he could not locate a changelog.md (a file logging all descriptions of changes for each version of an updated gem – think how Microsoft Word or Google Drive saves changes of edits made to documents) for strong_password 0.0.6 gem before it made its upgrade to version 0.0.7. He could not find the code for the updated version 0.0.7 of the strong_password gem and this discrepancy prompted Costa to cross-compare contents of the gem within his  rails app with that of the latest copy in Github.

This was where he discovered the updated version 0.0.7 gem does not belong to the original owner of the strong-password gem, but rather a pseudo account. He then dived into the code and figured out that new tweaks to the updated code for version 0.0.7 creates a loop within a new thread which fetches and executes code stored in a pastebin.com, but with an empty exception handler that ignores any error it potentially raises – this gives attackers remote code-execution (RCE) control  of the system as it will be able to bypass any error registered.

This strong_password gem is an entropy-based password strength checking installation for Ruby and ActiveModel. The previous version (0.0.6) had 39,955 downloads, whereas the compromised version 0.0.7, published on 25th June, raked in a total of 537 installations within three days before it was eventually yanked down on 28th June. Had this security flaw gone undetected and had these gem users decide to perform a bundle update on their APIs, over 30,000 web applications, libraries, servers, and system utilities could have been exposed to open-source security risks.

CVE-2019-13574

CVE-2019-13574  Ruby mini_magick version 4.9.4 has backdoor access to unwanted app server crashers. 

Vulnerability Score: Critical — 7.8 High (CVSS v3.0)

Platform: Ruby

Affected versions: mini_magick version 4.9.4

My oh my. Ruby open source gems are not looking too hot for application security this month! Harsh Jaiswal discovered a remote shell execution vulnerability  in mini_magick – a Ruby library interface that acts as a buffer between the ImageMagick / GraphicsMagick programs and your Ruby code by providing you with the tools and resources to transform and customize images for Ruby applications that is exploitable when using MiniMagick::Image.open with specially crafted URLs originating from unsanitised user input.

Similar to the aforementioned case of the strong_password gem, the vulnerability within this mini_magick gem allows attackers to perform arbitrary code execution (ACE) on servers; it essentially opens the path to access the image in ib/mini_magick/image.rb in the pre-4.9.4 version of the mini_magick gem. The image.open input (aka path to image) is passed to Kernel.open, which functions to accept the ‘|’ (pipe) character followed by a command. This use of Kernel.open represents a serious security risk as the pipe (‘|’) is a character that allows chain commands in the Linux terminal, which means the result of a single command could have further-reaching consequences. Therefore, when installed on an application, this compromised mini_magick version could open the door to  highly risky remote code execution on the hosting server.

This flawed version was downloaded over a million times, suggesting a large potential scale of impact for C2 backdoor attacks. Although a patch has been applied to version 4.9.4 of mini_magick, we believe the expansive list of gems using this flawed version means many developers and organisations might not be aware they have installed mini_magick due to the nature and ubiquity of open source work. Even if these gems do not necessarily use mini_magick in a way that exposes the program to the vulnerability, it is still well-advised to install the updated version of mini_magick 4.9.4 without the erroneous code

So there you have it! Go right on ahead to perform an update to secure your applications and software programs if they use these Ruby gems – you know it would give you peace of mind!

Alas, these 2 identified vulnerabilities are just two needles in a haystack; open source code can typically make up to 90% of most software programs, and this resulting pervasiveness of open source vulnerabilities means new security flaws are popping up like hotcakes. To better equip for your combat against exploitation by third-party attacks, it would be prudent to conscientiously scan for vulnerabilities in your software.

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Ruby