CVE-2019-15224

Vulnerability

Overview The rest-client gem versions 1.6.10 through 1.6.13, distributed on RubyGems.org, contained a malicious backdoor that allowed remote code execution. The backdoor was inserted by an attacker who compromised a maintainer's RubyGems.org account and published the tainted versions [1][2]. Versions ≤1.6.9 and ≥1.6.14 are unaffected [1].

Exploitation

In Rails applications where Rails.env starts with "p" (such as "production"), the malicious code would execute and download a payload from a Pastebin.com URL, then run it on the server [2]. The payload reportedly communicated with a command-and-control server at mironanoru.zzz.com.ua [2]. Only users who explicitly pinned to the 1.6.x series and updated to the backdoored versions in the week before discovery were at risk; the 1.6.x line was superseded by 1.7.0 in 2014 [2].

Impact

An attacker could achieve arbitrary code execution on the affected system, leading to full compromise. The observed payload was used for cryptocurrency mining, but the backdoor could have been leveraged for any purpose, including data theft or further malware deployment [2].

Mitigation

The RubyGems security team yanked the malicious gem versions and locked the compromised maintainer account on August 19, 2019 [2][4]. The rest-client maintainers released version 1.6.14, identical to the clean 1.6.9, to supersede the affected versions [2]. Users should update to 1.6.14 or later, or downgrade to ≤1.6.9. Affected versions can be detected with grep --include='Gemfile.lock' -r . -e 'rest-client (1.6.1[0123])' [2].