IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cloudflare flaw could have led to series of supply-chain attacks

Hackers were able to exploit a path traversal vulnerability to compromise CDNJS and target thousands of sites

A vulnerability in the CDNJS library update server, which is owned by Cloudflare and used by 12.7% of all websites on the internet, could have been abused to execute arbitrary commands and seize control of the CDNJS. 

CDNJS is an open source software content delivery network and is the second most popular after Google Hosted Libraries, which itself is used by 12.8% of sites across the web. The resource hosts thousands of JavaScipt and CSS libraries that sites can adopt to embed features and tools.

The flaw, present in the update server, however, may have led to hackers executing arbitrary commands and entirely compromising the CDNJS catalogue, according to the security researcher known as Ryotak. They reported to flaw to Cloudflare on 6 April, and there’s no evidence so far that it’s been exploited in the wild.

The mechanism for exploitation centres on publishing packages to the CDNJS using GitHub and npm, and using this route to trigger a path traversal vulnerability and fooling the server into executing arbitrary code. Attackers can, therefore, achieve remote code execution.

A path traversal vulnerability allows an attacker to access files on your web server without appropriate access or permission, either by tricking the web server or the web application running on it to return files that exist outside of the web root folder.

Related Resource

Five questions to ask before you upgrade to a modern SIEM

Do you need a better defense strategy?

White title against a dark blue background - whitepaper from IBMFree download

The CDNJS infrastructure also includes a feature to automate library updates by running scripts on the server to download relevant files from the user-managed Git repository or npm package registry.

An attack could involve cyber criminals publishing a new version of a specially-crafted package, which would be carried by the update server for publishing. This would copy the contents of the malicious package into a regularly executed script file hosted on the server.

In practice, this means compromising CDNJS may have led to a series of supply-chain attacks that granted hackers automated access to all sites that use the JavaScript and CSS libraries that comprise it.

The researcher demonstrated the vulnerability can be exploited in a proof-of-concept that involved uploading a file to an npm registry, then waiting for the CDNJS library udpate server to process the crafted file. The contents of the file were written into a regulatory executed script file and the arbitrary was executed.

“While this vulnerability could be exploited without any special skills, it could impact many websites,” they said. “Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary.”

After Cloudflare was alerted to the flaw on 6 April, the firm applied a complete fix on 3 June. 

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022