Dutch govt pulls Ruby on Rails, exploits become semi-automated

The first effects of the recently discovered Ruby on Rails exploit are beginning to be felt, with the Dutch government pulling its digital ID system briefly offline after realising that it was vulnerable.

The Dutch system, called DigiD, allows users to access a number of the government's online services. The government decided to shut the system down yesterday, with a spokesperson for the company telling Nu.nl that it was necessary to close a security issue with the Ruby on Rails platform it was running on.

The move comes as an update arrives to Rapid7's Metasploit framework (which coincidentally also runs Ruby on Rails). It now allows administrators to quickly scan hosts for vulnerable versions of Rails instances, and verify that they can be exploited. Unfortunately, the availability of such tools also means that malicious users are able to quickly automate the process of identifying targets to attack.

Rapid7's own guide to exploiting Ruby on Rails using Metasploit shows an example where administrators, or attackers, could quickly scan 256 hosts and determine whether they are likely to be vulnerable, by simply selecting a Metasploit module and setting a few parameters. Exploitation of the vulnerable hosts is equally as simple.

Although Ruby on Rails has been updated to mitigate the vulnerability, not all administrators are aware that the issue exists, or have underestimated its seriousness. Cloud application platform provider Heroku is one such company that has realised the significance of the vulnerability, and, in addition to providing its affected customers with information on how to upgrade their Rails environments, is reaching out to users via email.