Bootstrap-Sass v126.96.36.199 Loaded With Malware, Update To 188.8.131.52 ASAP
Popular UI framework Bootstrap-Sass hosted malicious code in its library that provides an attacker to perform a remote code execution, the affected version is 184.108.40.206 and earlier. Security consulting firm, Bad Packets has indicated a somewhat backdoor-like code inside the Ruby framework composed of an executable cookie. Apparently, one of the developers had his account hijacked by someone else, who then took advantage of the access in order to install snippets of code to the project.
The revelation of Bad Packets is confirmed by Snyk, also a vulnerability assessment firm. Teams from both companies have been examining and observing Bootstrap-Sass version 220.127.116.11 since March 26, 2019. “On March 26, 2019, a malicious version of the popular bootstrap-sass package, that has been downloaded a total of 28 million times to date, was published to the official RubyGems repository. We assume that the attacker has obtained the credentials to publish the malicious RubyGems package from one of the two maintainers, but this has not been officially confirmed. Version 18.104.22.168 includes a stealthy backdoor that gives attackers remote command execution on server-side Rails applications,” said Liran Tal of Snyk.
Tal continues to describe the scenes on how they were able to verify the existence of the back door. He revealed that a certain Derek Barnes has initially raised a questionable content of the twbs/bootstrap-sass repository. He is the person who informed the authors and the community about the malicious code. As of March 26 at 11:56 PM GMT, the project were considered as clean, with the malicious backdoor removed by the maintainers. “On the same day, Derek Barnes opened a GitHub issue for the twbs/bootstrap-sass repository that raised an issue related to the malicious version and pointed out a suspicious snippet of code that is bundled with version 22.214.171.124 of bootstrap-sass. The backdoor was wisely hidden in the 126.96.36.199 version that was only published to RubyGems and no source of the malicious version existed on the GitHub repository and allowed remote attackers to dynamically execute code on servers hosting the vulnerable versions,” explained Tal.
Tal is highly recommending that everyone that uses Rails application to immediately update to version 188.8.131.52, a quick fix issued by the Ruby team in order to mitigate the vulnerability. With version 184.108.40.206 and older were downloaded 27 million times before the patched version 220.127.116.11 has been released. The backdoor-loaded version has a SHA256 checksum of 366d6162fe36fc81dadc114558b43c6c8890c8bcc7e90e2949ae6344d0785dc0.
“You can run a one-off test for your open source project by clicking here to test your repositories, or by using our CLI to test your projects locally. If you found out your Rails application is making use of the vulnerable project take immediate steps to replace the current vulnerable version of 18.104.22.168 with the re-published 22.214.171.124 version as first response mitigation without requiring major version upgrades,” concluded Tal.
Julia Sowells918 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.