News and Notes from the Makers of Nexus | Sonatype Blog

Corrupting the Software Supply Chain: Lessons From the Bootstrap-sass Hack

Written by Elisa Velarde | April 09, 2019

The boldness of bad actors is escalating in the world of open source software. From the event-stream / NPM incident in November of 2018, to the recent bootstrap-sass / Ruby Gems hack, bad actors are practicing stealthy patience and tampering with our modern software supply chain like never before.  

On March 27, Derek Barnes, a software developer whose code relied on the popular Ruby Gems bootstrap-sass component had a build fail.  Derek was suspicious and decided to do some research.  Barnes noticed that that “someone” had removed a version of the library (Bootstrap-Sass v3.2.0.2) and immediately released a new version, moments later, v3.2.0.3.  He was suspicious why “someone” would modify the library on RubyGems -- but not in GitHub, where the library's source code is managed? What Barnes uncovered was sobering: yet another attack on open source and the software supply chain that underpins so much of modern innovation.

Alarmed by the misbehaving code, he alerted the project. On that same day, the malicious component version ( 3.2.0.3) was removed from the RubyGem repository – and the Bootstrap-Sass team revoked access to RubyGems for the developer whose account they believed was compromised and used to push the malicious code.

The mechanics to this (and other software supply chain attacks) are tricky and effective.

  • Obtain rights to publish
  • Yank the existing “clean” component from the RubyGems repo
  • Replace the clean component with a malicious component
  • Force users to upgrade

Mr. Barnes deserves great credit for noticing something strange, taking time to do some research, and discovering what is now CVE-2019-10842.  His efforts echo a point our CTO Brian Fox makes repeatedly; “knowing what’s in your application and having accurate and granular visibility into code dependencies is the first and most important step toward building secure software.”  

Further, in this excellent podcast released last week, Allan Freidman, Director of Cybersecurity Initiatives at NTIA highlights the real cost of not understanding the dependencies in your application and he explains why a software bill of materials (SBOM) is critical for organizations to improve application security hygiene.

The bottom line is this, bad actors are taking advantage of the generous nature of the open source community to contaminate the software supply chain at the source. This is an emerging risk that must be managed by software development teams everywhere.

To find out if your rails application contains the vulnerable version of bootstrap-sass, try our free Nexus Vulnerability Scanner.  Please include the vendor/cache folder after running "bundle package” to obtain the best results.