CVE-2019-13589 – The paranoid2 gem version 1.1.6 for Ruby contai... (How to Fix)

Q: What is the severity of CVE-2019-13589?

CVE-2019-13589 has a CVSS score of 9.8 (CRITICAL). The paranoid2 gem version 1.1.6 for Ruby contained a malicious backdoor inserted by a third party that allows remote code execution. This affects any Ruby application that installed or updated to this specific compromised version from RubyGems.org. The backdoor was removed in version 1.1.5, which is actually the safe version despite having a lower version number.

📋 TL;DR

The paranoid2 gem version 1.1.6 for Ruby contained a malicious backdoor inserted by a third party that allows remote code execution. This affects any Ruby application that installed or updated to this specific compromised version from RubyGems.org. The backdoor was removed in version 1.1.5, which is actually the safe version despite having a lower version number.

💻 Affected Systems

Products:

paranoid2 Ruby gem

Versions: Version 1.1.6 only

Operating Systems: All operating systems running Ruby

Default Config Vulnerable: ⚠️ Yes

Notes: Only version 1.1.6 is affected. Version 1.1.5 is safe despite having a lower version number. The vulnerability was introduced through a supply chain attack on RubyGems.org.

📦 What is this software?

Paranoid2 by Anjlab

View all CVEs affecting Paranoid2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of affected systems allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Attackers gaining remote code execution on vulnerable systems, potentially leading to data theft, cryptocurrency mining, or ransomware deployment.

🟢

If Mitigated

No impact if using version 1.1.5 or earlier legitimate versions, or if the compromised gem was never installed.

🌐 Internet-Facing: HIGH - Any internet-facing Ruby application using the compromised gem could be remotely exploited.

🏢 Internal Only: MEDIUM - Internal systems could still be compromised through supply chain attacks or lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The backdoor was intentionally inserted and requires no authentication. Attackers could trigger the backdoor remotely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.1.5 (or remove version 1.1.6 entirely)

Vendor Advisory: https://github.com/rubygems/rubygems.org/issues/2051

Restart Required: Yes

Instructions:

1. Remove version 1.1.6 from your Gemfile.lock and Gemfile. 2. Specify version 1.1.5 explicitly or use a different gem. 3. Run 'bundle update paranoid2' or 'gem uninstall paranoid2 -v 1.1.6'. 4. Restart your Ruby application.

🔧 Temporary Workarounds

Remove compromised gem version

all

Uninstall the vulnerable version 1.1.6 and revert to version 1.1.5

gem uninstall paranoid2 -v 1.1.6
gem install paranoid2 -v 1.1.5

Update Gemfile to pin safe version

all

Explicitly specify version 1.1.5 in your Gemfile

gem 'paranoid2', '1.1.5'

🧯 If You Can't Patch

Isolate affected systems from network access immediately
Monitor for suspicious process activity and network connections

🔍 How to Verify

Check if Vulnerable:

Check if paranoid2 version 1.1.6 is installed in your Ruby environment

Check Version:

gem list | grep paranoid2

Verify Fix Applied:

Confirm paranoid2 version is 1.1.5 or earlier, or that the gem is completely removed

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from Ruby applications
Suspicious network connections from Ruby processes

Network Indicators:

Outbound connections to unknown IPs from Ruby applications
Unusual data exfiltration patterns

SIEM Query:

process.name:ruby AND process.args:*paranoid2* AND process.version:1.1.6

📊 Metadata

CVE ID: CVE-2019-13589

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-829

Published: July 14, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/109281 Third Party Advisory,VDB Entry
https://github.com/rubygems/rubygems.org/issues/2051 Exploit,Issue Tracking,Third Party Advisory
https://rubygems.org/gems/paranoid2/versions Vendor Advisory
https://snyk.io/vuln/SNYK-RUBY-PARANOID2-451600 Third Party Advisory
http://www.securityfocus.com/bid/109281 Third Party Advisory,VDB Entry
https://github.com/rubygems/rubygems.org/issues/2051 Exploit,Issue Tracking,Third Party Advisory
https://rubygems.org/gems/paranoid2/versions Vendor Advisory
https://snyk.io/vuln/SNYK-RUBY-PARANOID2-451600 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13589, you might also want to check these: