Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library which is used by 12.7% of all websites on the Internet.
The weakness related to an issue in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise.
The vulnerability was discovered and reported by security researcher RyotaK on April 6, 2021. There is no evidence of in-nature attacks abusing this flaw.
Specifically, the vulnerability works by posting packages to Cloudflare’s CDNJS using GitHub and npm, using it to trigger a traversal vulnerability, and ultimately trick the server into executing arbitrary code, thereby achieving remote code execution.
It should be noted that the CDNJS framework includes functionality to automate library updates by periodically running scripts on the server to download the relevant files from the user-managed Git repository or the npm package registry. .
Upon discovering an issue with the way the mechanism disinfects package paths, RyotaK discovered that “arbitrary code can be executed after traversing the path from the published .tgz file to npm and overwriting the script that is being executed regularly on the server “.
In other words, the purpose of the attack is to release a new version of a specially crafted package to the repository, which is then picked up by the CDNJS library update server for release, copying the content. of the malicious package in a regularly executed script file hosted on the server, thus obtaining the execution of arbitrary code.
“While this vulnerability can be exploited without any special skills, it could impact many websites,” RyotaK said. “Considering that there are so many vulnerabilities in the supply chain, which are easy to exploit but have a big impact, I think it’s very scary.”
This isn’t the first time the security researcher has discovered critical flaws in the way software repository updates are handled. In April 2021, RyotaK disclosed a critical vulnerability in the official Homebrew Cask repository that could have been exploited by an attacker to execute arbitrary code on users’ machines.