A BACKDOOR IN A POPULAR open-source framework has affected an estimated 28 million users.
According to security firm Synk, a malicious version of web development tool Bootstrap-Sass has been published on the official RubyGems repository.
The researchers found a backdoor that enables hackers to conduct remote command execution on server-side Rails applications.
Writing in a security notice, Synk explained that the vulnerability was "widely hidden" in version 188.8.131.52 of the tool and enabled "remote attackers to dynamically execute code on servers hosting the vulnerable versions".
"The Bootstrap-Sass package is very popular and the malicious backdoor potentially affects a large set of users. The package's GitHub repository has been starred more than 12,000 times and features over 27 million downloads in total. The current version, 3.4.1, has over 217,000 downloads.
"A quick analysis shows roughly 1,670 GitHub repositories that may have been exposed to the malicious library through direct use. This number will increase significantly when counting its usage in applications as a transitive dependency."
This backdoor was hidden in a file called lib/active-controller/middleware.rb, which Synk said "taps into another Ruby module and modifies it so that specific cookies that are sent by the client will be Base64 decoded and then evaluated in runtime, to effectively allow remote code execution".
Although the identity of the attacker is unknown, Synk believes that they "obtained the credentials to publish the malicious RubyGems package from one of the two maintainers".
The malicious version has since been removed from RubyGems, with the maintainers confirming that they've changed their credentials.
"We have already added the vulnerability to our database, and if your project is being monitored by Snyk, you will have already been notified by our routine alerts, if your application contains the malicious package.
"If not, you should test, for free, to see if your application is affected by the malicious version by testing your application code repository with Snyk.
"If you find that your Rails application is making use of the vulnerable project take immediate action and replace the vulnerable version, 184.108.40.206, with the re-published 220.127.116.11 as first response mitigation without requiring major version upgrades." µ
It's the week in Google news
Erik Estrada wouldn't have stood for this
Hacks in support of WikiLeaks founder target gov websites