Nexus Intelligence Insights: CVE-2019-13354: 'strong_password' embedded malicious code, RubyGems - Security Boulevard

SBN Nexus Intelligence Insights: CVE-2019-13354: ‘strong_password’ embedded malicious code, RubyGems

We typically don’t follow one monthly Nexus Intelligence Insights post on the heels of another, but July’s vulnerability is time sensitive so we didn’t want to delay getting the next edition out for everyone to read.

FinConDX 2021

In November of 2018, an event-stream, flatmap-stream hack involving a clever combination of social engineering and minified code, allowed a hacker to steal cryptocurrency. In April of this year, a bootstrap-sass vulnerability was discovered when a developer using that very popular component, had a build fail. After doing some investigation, the developer uncovered a stealthily executed attack at the source – “someone” had removed a version of the library, Bootstrap-Sass v3.2.0.2 and immediately released a new version, moments later, v3.2.0.3. 

Flash forward to today and we have another attack on RubyGems at the source, CVE-2019-13354. This attack involves remote code execution in applications using or bundling the `strong_password` component, specifically its version 0.0.7. While this may seem like another mundane vulnerability that needs to be addressed, the story behind how this issue surfaced shines a light on a trend Sonatype has been following for years – attacks are not only getting more sophisticated, they are originating at the source in the software supply chain where it’s much more difficult to detect malicious activity.

Name of Vuln/Sonatype ID: CVE-2019-13354

Type of Vulnerability: Embedded malicious code

Components Affected: Version 0.0.7 ‘strong_password’ ruby gems

Vulnerability Description:

Version 0.0.7 of the `strong_password` gem contains malicious code. The `strength_checker.rb` script fetches and evaluates a code payload from a remote server. At the time of this report, the fetched payload runs a backdoor in production code that evaluates the contents of a crafted cookie matching the regex `/___id=(.+);/`. Since the contents of the cookie (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Elisa Velarde. Read the original post at: