Cloudflare flaw could have led to series of supply-chain attacks

Hackers were able to exploit a path traversal vulnerability to compromise CDNJS and target thousands of sites

A vulnerability in the CDNJS library update server, which is owned by Cloudflare and used by 12.7% of all websites on the internet, could have been abused to execute arbitrary commands and seize control of the CDNJS. 

CDNJS is an open source software content delivery network and is the second most popular after Google Hosted Libraries, which itself is used by 12.8% of sites across the web. The resource hosts thousands of JavaScipt and CSS libraries that sites can adopt to embed features and tools.

The flaw, present in the update server, however, may have led to hackers executing arbitrary commands and entirely compromising the CDNJS catalogue, according to the security researcher known as Ryotak. They reported to flaw to Cloudflare on 6 April, and there’s no evidence so far that it’s been exploited in the wild.

The mechanism for exploitation centres on publishing packages to the CDNJS using GitHub and npm, and using this route to trigger a path traversal vulnerability and fooling the server into executing arbitrary code. Attackers can, therefore, achieve remote code execution.

A path traversal vulnerability allows an attacker to access files on your web server without appropriate access or permission, either by tricking the web server or the web application running on it to return files that exist outside of the web root folder.

Related Resource

Five questions to ask before you upgrade to a modern SIEM

Do you need a better defense strategy?

White title against a dark blue background - whitepaper from IBMFree download

The CDNJS infrastructure also includes a feature to automate library updates by running scripts on the server to download relevant files from the user-managed Git repository or npm package registry.

An attack could involve cyber criminals publishing a new version of a specially-crafted package, which would be carried by the update server for publishing. This would copy the contents of the malicious package into a regularly executed script file hosted on the server.

In practice, this means compromising CDNJS may have led to a series of supply-chain attacks that granted hackers automated access to all sites that use the JavaScript and CSS libraries that comprise it.

The researcher demonstrated the vulnerability can be exploited in a proof-of-concept that involved uploading a file to an npm registry, then waiting for the CDNJS library udpate server to process the crafted file. The contents of the file were written into a regulatory executed script file and the arbitrary was executed.

“While this vulnerability could be exploited without any special skills, it could impact many websites,” they said. “Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary.”

After Cloudflare was alerted to the flaw on 6 April, the firm applied a complete fix on 3 June. 

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Most Popular

Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022