Cloudflare flaw could have led to series of supply-chain attacks

A vulnerability in the CDNJS library update server, which is owned by Cloudflare and used by 12.7% of all websites on the internet, could have been abused to execute arbitrary commands and seize control of the CDNJS.

CDNJS is an open source software content delivery network and is the second most popular after Google Hosted Libraries, which itself is used by 12.8% of sites across the web. The resource hosts thousands of JavaScipt and CSS libraries that sites can adopt to embed features and tools.

The flaw, present in the update server, however, may have led to hackers executing arbitrary commands and entirely compromising the CDNJS catalogue, according to the security researcher known as Ryotak. They reported to flaw to Cloudflare on 6 April, and there’s no evidence so far that it’s been exploited in the wild.

The mechanism for exploitation centres on publishing packages to the CDNJS using GitHub and npm, and using this route to trigger a path traversal vulnerability and fooling the server into executing arbitrary code. Attackers can, therefore, achieve remote code execution.

A path traversal vulnerability allows an attacker to access files on your web server without appropriate access or permission, either by tricking the web server or the web application running on it to return files that exist outside of the web root folder.

The CDNJS infrastructure also includes a feature to automate library updates by running scripts on the server to download relevant files from the user-managed Git repository or npm package registry.

An attack could involve cyber criminals publishing a new version of a specially-crafted package, which would be carried by the update server for publishing. This would copy the contents of the malicious package into a regularly executed script file hosted on the server.

In practice, this means compromising CDNJS may have led to a series of supply-chain attacks that granted hackers automated access to all sites that use the JavaScript and CSS libraries that comprise it.

The researcher demonstrated the vulnerability can be exploited in a proof-of-concept that involved uploading a file to an npm registry, then waiting for the CDNJS library udpate server to process the crafted file. The contents of the file were written into a regulatory executed script file and the arbitrary was executed.

“While this vulnerability could be exploited without any special skills, it could impact many websites,” they said. “Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary.”

After Cloudflare was alerted to the flaw on 6 April, the firm applied a complete fix on 3 June.