Malicious code kuaj pom nyob rau hauv so-neeg siv khoom thiab 10 lwm pob Ruby

Nyob rau hauv ib lub pob zeb nrov so-neeg siv, nrog rau tag nrho ntawm 113 lab downloads, txheeb xyuas Hloov cov cai phem (CVE-2019-15224) uas rub tawm cov lus txib ua tau thiab xa cov ntaub ntawv mus rau tus tswv tsev sab nraud. Kev tawm tsam tau ua dhau los kev sib haum xeeb tus tsim tawm tus account so-neeg siv nyob rau hauv rubygems.org repository, tom qab ntawd cov neeg tawm tsam tau tshaj tawm tawm 13-14 thaum Lub Yim Hli 1.6.10 thiab 1.6.13, uas suav nrog kev hloov pauv tsis zoo. Ua ntej lub siab phem versions raug thaiv, kwv yees li ib txhiab tus neeg siv tau tswj kom rub tawm lawv (tus neeg tawm tsam tau tso tawm cov hloov tshiab rau cov laus dua kom tsis txhob nyiam).

Qhov kev hloov siab phem overrides txoj kev "#authenticate" hauv chav kawm
Tus kheej, tom qab uas txhua txoj kev hu ua rau email thiab lo lus zais xa thaum lub sijhawm kuaj xyuas raug xa mus rau tus neeg tawm tsam tus tswv tsev. Txoj kev no, kev nkag mus tsis tau ntawm cov neeg siv kev pabcuam siv chav kawm Identity thiab txhim kho qhov tsis zoo ntawm cov tsev qiv ntawv cov neeg siv khoom tau cuam tshuam, uas muab tshwj xeeb raws li kev vam khom hauv ntau pob Ruby nrov, suav nrog ast (64 lab downloads), oauth (32 lab), fastlane (18 lab), thiab kubeclient (3.7 lab).

Tsis tas li ntawd, lub qhov rooj rov qab tau ntxiv rau qhov chaws, tso cai rau Ruby code arbitrary raug tua los ntawm kev ua haujlwm eval. Txoj cai kis tau los ntawm lub ncuav qab zib uas tau lees paub los ntawm tus neeg tawm tsam tus yuam sij. Txhawm rau qhia cov neeg tawm tsam txog kev teeb tsa lub pob tsis zoo ntawm tus tswv tsev sab nraud, qhov URL ntawm tus neeg raug tsim txom lub kaw lus thiab xaiv cov ntaub ntawv hais txog ib puag ncig, xws li khaws cov passwords rau DBMS thiab huab kev pabcuam, raug xa mus. Kev sim rub tawm cov ntawv sau rau cryptocurrency mining tau sau tseg siv cov lus tsis zoo saum toj no.

Tom qab kawm lub siab phem code nws yog qhia tawmtias muaj kev hloov pauv zoo sib xws hauv 10 pob khoom hauv Ruby Gems, uas tsis raug ntes, tab sis tau npaj tshwj xeeb los ntawm cov neeg tawm tsam raws li lwm lub tsev qiv ntawv nrov nrog cov npe zoo sib xws, hauv qhov khiav ceev tau hloov nrog tus lej lossis lwm qhov (piv txwv li, raws li cron-parser ib pob siab phem cron_parser tau tsim, thiab raws li doge_npib malicious doge-npib pob). Cov teeb meem pob:

• npib_base: 4.2.2, 4.2.1
• blockchain_wallet: 0.0.6, 0.0.7
• zoo-bot: 1.18.0
• doge-npib: 1.0.2
• capistrano-xim: 0.5.5
• bitcoin_vanity: 4.3.3
• lita_npib: 0.0.3
• yuav los sai sai no: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser: 1.0.12, 1.0.13, 0.1.4

Thawj pob siab phem los ntawm cov npe no tau tshaj tawm rau lub Tsib Hlis 12, tab sis lawv feem ntau tshwm sim thaum Lub Xya Hli. Nyob rau hauv tag nrho, cov pob no tau downloaded txog 2500 zaug.

Tau qhov twg los: opennet.ru