Bootstrap-Sass v188.8.131.52 Loaded With Malware, Update To 184.108.40.206 ASAP
Popular UI framework Bootstrap-Sass hosted malicious code in its library that provides an attacker to perform a remote code execution, the affected version is 220.127.116.11 and earlier. Security consulting firm, Bad Packets has indicated a somewhat backdoor-like code inside the Ruby framework composed of an executable cookie. Apparently, one of the developers had his account hijacked by someone else, who then took advantage of the access in order to install snippets of code to the project.
The revelation of Bad Packets is confirmed by Snyk, also a vulnerability assessment firm. Teams from both companies have been examining and observing Bootstrap-Sass version 18.104.22.168 since March 26, 2019. “On March 26, 2019, a malicious version of the popular bootstrap-sass package, that has been downloaded a total of 28 million times to date, was published to the official RubyGems repository. We assume that the attacker has obtained the credentials to publish the malicious RubyGems package from one of the two maintainers, but this has not been officially confirmed. Version 22.214.171.124 includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications,” said Liran Tal of Snyk.
Tal continues to describe the scenes on how they were able to verify the existence of the back door. He revealed that a certain Derek Barnes has initially raised a questionable content of the twbs/bootstrap-sass repository. He is the person who informed the authors and the community about the malicious code. As of March 26 at 11:56 PM GMT, the project were considered as clean, with the malicious backdoor removed by the maintainers. “On the same day, Derek Barnes opened a GitHub issue for the twbs/bootstrap-sass repository that raised an issue related to the malicious version and pointed out a suspicious snippet of code that is bundled with version 126.96.36.199 of bootstrap-sass. The backdoor was wisely hidden in the 188.8.131.52 version that was only published to RubyGems and no source of the malicious version existed on the GitHub repository and allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions,” explained Tal.
Tal is highly recommending that everyone that uses Rails application to immediately update to version 184.108.40.206, a quick fix issued by the Ruby team in order to mitigate the vulnerability. With version 220.127.116.11 and older were downloaded 27 million times before the patched version 18.104.22.168 has been released. The backdoor-loaded version has a SHA256 checksum of 366d6162fe36fc81dadc114558b43c6c8890c8bcc7e90e2949ae6344d0785dc0.
“You can run a one-off test for your open source project by clicking here to test your repositories, or by using our CLI to test your projects locally. If you found out your Rails application is making use of the vulnerable project take immediate steps to replace the current vulnerable version of 22.214.171.124 with the re-published 126.96.36.199 version as first response mitigation without requiring major version upgrades,” concluded Tal.