Ruby on Rails announced the security issue in versions 3.0.20 and 2.3.16 this past January. It released a patch for these issues, which were deemed “critical,” at the same time. But it seems that businesses did not all implement this fix as the vulnerability is now being successfully exploited in the wild.
It turns servers running Ruby on Rails into a botnet.
Using the vulnerability, hackers can direct servers to connect with Internet Relay Chat channels. Hackers within those IRC groups can download malicious code to the servers and push them on toward other IRC channels. This isn’t the most sophisticated way of controlling a botnet, as Jarmoc notes. You do not need to authenticate to the IRC channel, and once there, you can control the bot by “issuing the appropriate commands.”
Jarmoc does explain that because the expertise level to run this kind of botnet is low, “functionality is limited.”
As Ars Technica notes, Ruby on Rails versions 3.2.11, 3.1.10, 3.0.19, 2.3.15, and later are all safe. Developers and admins should use these versions and patch any servers running the infected ones.
Jarmoc concluded, “In short, this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months.”