Protect Yourself From the RubyGems Backdoor by InSpec’ing Your Fleet

Chef has invested a lot with the Enterprise Automation Stack in security. With Chef InSpec you can easily scan your systems for potential vulnerabilities and then leverage Chef Infra to run remediation across your entire fleet. This is important because last week’s RubyGems vulnerability likely affected other software you have deployed that uses Ruby.

To help, we wrote a Chef InSpec profile as an example for how you can check for this type of CVE across your systems. Chef InSpec was designed as a language to make it easy to check for these types of vulnerabilities and then use the same check to consistently scan across your entire fleet to make sure your rules are enforced. If something is out-of-compliance, you can use Chef Infra to remediate it at-scale. 

Here is an example of a simple Chef InSpec test to confirm that the rest-client gem is not installed on a Linux host.

describe command('find / -type d -regex ".*/rest-client-1\.6\.1[0123]$"') do
 its("stdout") { should_not include("rest-client") }
end

We’ve shared this example InSpec profile at https://github.com/chef-cft/inspec_cve_2019_15224 with tests for rest-client and the other 10 malicious gems that run on Windows, macOS, and Linux.

With InSpec, tests can be enriched with metadata that provides context and reference information for the security-minded.

control "CVE-2019-15224" do
 title "malicious rest-client v1.6.10-13"
 desc "Versions 1.6.10 through 1.6.13 of the rest-client gem contains malicious code and should not be present on the system."
 desc "Action", "This control will find all directories on a host's filesystem and check for the presence of a malicious version of rest-client."
 ref "CVE-2019-15224", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-15224"
 ref "GitHub Issue for CVE-2019-15224", url: "https://github.com/rest-client/rest-client/issues/713"
 tag cve: "CVE-2019-15224"
  describe "(find command for malicious rest-client versions)" ...

When run locally InSpec will use this metadata to provide a meaningful report of a host.

>  sudo inspec exec .
Profile: Malicious Gem Check for CVE-2019-15224 (cve_2019_15224)
Version: 0.1.0
Target:  local://

 ×  CVE-2019-15224: malicious rest-client v1.6.10-13
    ×  (find command for malicious rest-client versions) stdout should not include "rest-client"
    expected "/Users/galen/tmp/gem-review/rest-client-1.6.11\n" not to include "rest-client"
 ×  CVE-2019-15224-adjacent: Other malicious gems found during investigation. (1 failed)
    ✔  (find command for bad gems) stdout should not include "bitcoin_vanity"
    ✔  (find command for bad gems) stdout should not include "lita_coin"
    ✔  (find command for bad gems) stdout should not include "coming-soon"
    ✔  (find command for bad gems) stdout should not include "omniauth_amazon"
    ✔  (find command for bad gems) stdout should not include "cron_parser"
    ✔  (find command for bad gems) stdout should not include "coin_base"
    ✔  (find command for bad gems) stdout should not include "blockchain_wallet"
    ✔  (find command for bad gems) stdout should not include "awesome-bot"
    ×  (find command for bad gems) stdout should not include "doge-coin"
    expected "/Users/galen/tmp/gem-review/doge-coin-1.2.3\n/Users/galen/tmp/gem-review/doge-coin-1.2.3/not-really\n" not to include "doge-coin"
     ✔  (find command for bad gems) stdout should not include "capistrano-colors"

Profile Summary: 0 successful controls, 2 control failures, 0 controls skipped
Test Summary: 9 successful, 2 failures, 0 skipped

Looking at the output from 1 system is nice, but not very effective when you have hundreds or thousands of systems. Included with Chef EAS, Chef Automate will help you automate scanning, aggregate results, and provide simplified reporting and notifications across your entire fleet using the Chef InSpec profile above.

Interested in learning more about how to secure your systems with Chef? Contact Us and we’ll set up some time to talk.

Galen Emery

I am Galen, the Lead Compliance and Security Architect for Chef. My professional life has been built upon automating everything I can, and am responsible for helping security and compliance teams understand how to secure systems within the DevOps model. I currently live in San Diego, CA but am originally from Seattle, WA with time spent in DC working with the federal government. I have extensive experience in Windows, Cloud Migrations, Chef, Compliance and Security. I hold an active CISSP.