Cloudflare flaw could have led to series of supply-chain attacks

Hackers were able to exploit a path traversal vulnerability to compromise CDNJS and target thousands of sites

A vulnerability in the CDNJS library update server, which is owned by Cloudflare and used by 12.7% of all websites on the internet, could have been abused to execute arbitrary commands and seize control of the CDNJS. 

CDNJS is an open source software content delivery network and is the second most popular after Google Hosted Libraries, which itself is used by 12.8% of sites across the web. The resource hosts thousands of JavaScipt and CSS libraries that sites can adopt to embed features and tools.

The flaw, present in the update server, however, may have led to hackers executing arbitrary commands and entirely compromising the CDNJS catalogue, according to the security researcher known as Ryotak. They reported to flaw to Cloudflare on 6 April, and there’s no evidence so far that it’s been exploited in the wild.

The mechanism for exploitation centres on publishing packages to the CDNJS using GitHub and npm, and using this route to trigger a path traversal vulnerability and fooling the server into executing arbitrary code. Attackers can, therefore, achieve remote code execution.

A path traversal vulnerability allows an attacker to access files on your web server without appropriate access or permission, either by tricking the web server or the web application running on it to return files that exist outside of the web root folder.

Related Resource

Five questions to ask before you upgrade to a modern SIEM

Do you need a better defense strategy?

White title against a dark blue background - whitepaper from IBMFree download

The CDNJS infrastructure also includes a feature to automate library updates by running scripts on the server to download relevant files from the user-managed Git repository or npm package registry.

An attack could involve cyber criminals publishing a new version of a specially-crafted package, which would be carried by the update server for publishing. This would copy the contents of the malicious package into a regularly executed script file hosted on the server.

In practice, this means compromising CDNJS may have led to a series of supply-chain attacks that granted hackers automated access to all sites that use the JavaScript and CSS libraries that comprise it.

The researcher demonstrated the vulnerability can be exploited in a proof-of-concept that involved uploading a file to an npm registry, then waiting for the CDNJS library udpate server to process the crafted file. The contents of the file were written into a regulatory executed script file and the arbitrary was executed.

“While this vulnerability could be exploited without any special skills, it could impact many websites,” they said. “Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary.”

After Cloudflare was alerted to the flaw on 6 April, the firm applied a complete fix on 3 June. 

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021