Bootstrap-Sass v220.127.116.11 Loaded With Malware, Update To 18.104.22.168 ASAP
Popular UI framework Bootstrap-Sass hosted malicious code in its library that provides an attacker to perform a remote code execution, the affected version is 22.214.171.124 and earlier. Security consulting firm, Bad Packets has indicated a somewhat backdoor-like code inside the Ruby framework composed of an executable cookie. Apparently, one of the developers had his account hijacked by someone else, who then took advantage of the access in order to install snippets of code to the project.
The revelation of Bad Packets is confirmed by Snyk, also a vulnerability assessment firm. Teams from both companies have been examining and observing Bootstrap-Sass version 126.96.36.199 since March 26, 2019. “On March 26, 2019, a malicious version of the popular bootstrap-sass package, that has been downloaded a total of 28 million times to date, was published to the official RubyGems repository. We assume that the attacker has obtained the credentials to publish the malicious RubyGems package from one of the two maintainers, but this has not been officially confirmed. Version 188.8.131.52 includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications,” said Liran Tal of Snyk.
Tal continues to describe the scenes on how they were able to verify the existence of the back door. He revealed that a certain Derek Barnes has initially raised a questionable content of the twbs/bootstrap-sass repository. He is the person who informed the authors and the community about the malicious code. As of March 26 at 11:56 PM GMT, the project were considered as clean, with the malicious backdoor removed by the maintainers. “On the same day, Derek Barnes opened a GitHub issue for the twbs/bootstrap-sass repository that raised an issue related to the malicious version and pointed out a suspicious snippet of code that is bundled with version 184.108.40.206 of bootstrap-sass. The backdoor was wisely hidden in the 220.127.116.11 version that was only published to RubyGems and no source of the malicious version existed on the GitHub repository and allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions,” explained Tal.
Tal is highly recommending that everyone that uses Rails application to immediately update to version 18.104.22.168, a quick fix issued by the Ruby team in order to mitigate the vulnerability. With version 22.214.171.124 and older were downloaded 27 million times before the patched version 126.96.36.199 has been released. The backdoor-loaded version has a SHA256 checksum of 366d6162fe36fc81dadc114558b43c6c8890c8bcc7e90e2949ae6344d0785dc0.
“You can run a one-off test for your open source project by clicking here to test your repositories, or by using our CLI to test your projects locally. If you found out your Rails application is making use of the vulnerable project take immediate steps to replace the current vulnerable version of 188.8.131.52 with the re-published 184.108.40.206 version as first response mitigation without requiring major version upgrades,” concluded Tal.