Last January, we talked about a critical vulnerability in Ruby on Rails (CVE-2013-0156). At the time, we pointed out that there was no known attack, but because its code had been released as part of the Metasploit exploit framework and that this would increase risks of an attack moving forward. It was only a matter of time before this can be used in an attack in the wild. We strongly urged server administrators to patch their Ruby on Rails software to the latest, patched versions.
At the time, we noted that Trend Micro Deep Security has protected users from the said vulnerability via the following DPI rules:
- 1005331 Ruby On Rails XML Processor YAML Deserialization DoS
- 1005328 Ruby On Rails XML Processor YAML Deserialization Code Execution Vulnerability
These rules allow Deep Security to block network traffic that is related to this vulnerability, preventing any exploitation of the security flaw.
Fast forward to May 28 this year: an exploit in-the-wild was found targeting the said vulnerability. The vulnerability was used to gain access to the affected systems and make them part of an IRC botnet. (The malicious payload is detected as ELF_MANUST.A.)
Despite the vulnerability being several months old, it was still exploited very heavily in the past week. The answer is simple: not everyone patches regularly for various reasons. Security administrators have to consider several aspects, such as business continuity. Other factors may include making sure that patches actually work, and delays due to unexpected system behaviors that may occur once updates are implemented. To know more about this, you may read our report Monitoring Vulnerabilities: Are Your Servers Exploit-Proof?.
This case, however, illustrates the downside of not patching: systems are put at increased risk, particularly if vulnerability shielding solutions are not integrated into existing systems. We will continue to monitor this threat and release updates as needed.