Connect with us

Tech

Critical Cloudflare CDN flaw allowed 12% of all sites to be compromised

Published

on

Critical Cloudflare CDN flaw allowed 12% of all sites to be compromised

Cloudflare has fixed a critical vulnerability in its free and open source CDNJS that could affect 12.7% of all websites In Internet.

CDNJS serves millions of websites with over 4,000 JavaScript and CSS libraries publicly stored on GitHub, making it the second largest JavaScript CDN.

The vulnerability exploits comprised publishing packages to Cloudflare’s CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability and ultimately remote code execution.

If exploited, the vulnerability would lead to a total compromise of the CDNJS infrastructure.

From “ZIP Slip” to remote code execution

This week, security researcher RyotaK explains how he was able to find a method to fully compromise Cloudflare’s CDNJS network while investigating supply chain attacks.

Content Delivery Networks (CDNs) play a critical role in defending the security, integrity, and availability of the Internet, as the vast majority of websites rely on these services to load popular JavaScript libraries and CSS scripts.

CDNs can become a target choice for adversaries as, if compromised, the attack can have far-reaching consequences for many websites, online stores, and their customers.

While looking at cdnjs.com, RyotaK noted that for libraries that did not yet exist on CDNJS, it might suggest adding a new library via CDNJS. GitHub repository.

cdnjs package not found
Users can request that a package be published to the CDNJS GitHub repository

After exploring this GitHub repository and the adjacent ones that together make the CDNJS ecosystem work, RyotaK discovered a way to trick servers into running arbitrary code.

In particular, the researcher studied the scripts present in cdnjs / bot-ansible other cdnjs / tools, even in automatic update script that facilitated automatic retrieval of library updates.

These scripts would periodically update the CDNJS server with newer versions of the software libraries published by their authors in the corresponding npm registry.

In other words, for each library published to the CDNJS GitHub repository, its most recent version would be downloaded from the linked npm registry, and the author of the library would also keep the npm version.

RyotaK wondered what would happen if a library it had published on CDNJS had a corresponding npm version containing a Route crossing exploit.

Note that npm packages are published as TGZ files (.tar.gz) that can be easily created with hidden path exploits.

The researcher first published a test library called hey-sven to CDNJS using GitHub, and then started releasing new versions of “hey-sven” in the npm registry.

In the newer versions of “hey-sven” published to npm, which eventually be prosecuted Because of the CDNJS update bots, the researcher injected Bash scripts into weird-looking paths.

These distinct routes are nothing more than Path Traversal exploits hidden within ZIP / TGZ archives, a concept popularized in 2018 as “ZIP Slip”.

The npm package had a path traversal exploit
Npm versions 1.0.1 and 1.0.2 of the “hey-sven” library contained Path Traversal exploits
Source: BleepingComputer

After the CDNJS servers processed the created “hey-sven” npm files, the content of these bash scripts would run on the server.

But, the researcher didn’t want to accidentally overwrite an existing script, so he first used a symbolic link vulnerability to read the contents of the file that you were about to overwrite, during this proof of concept (PoC).

“As Git supports symbolic links by default, it is possible to read arbitrary files from the update server of the cdnjs library by adding a symbolic link in the Git repository.”

“If the script file that runs regularly is overwritten to execute arbitrary commands, the automatic update function may fail, so I decided to check the arbitrary file for reading first,” said the researcher.

As soon as your created PoC hit the server, RyotaK was able to unexpectedly dump sensitive secrets like GITHUB_REPO_API_KEY and WORKERS_KV_API_TOKEN in scripts provided by the CDN at https: //cdnjs.cloudflare.com / …

poc symlink output
The PoC output from the initial symlink provided the investigator with secret keys
Source: BleepingComputer

GITHUB_REPO_API_KEY is an API key that grants write permissions, allowing an attacker to alter any library in the CDNJS, or alter the cdnjs.com website itself!

WORKERS_KV_API_TOKEN secret, on the other hand, could be used to manipulate the libraries present in the Cloudflare Workers cache.

“By combining these permissions, the core part of CDNJS, such as the CDNJS source data, the KV cache, and even the CDNJS website, could be completely tampered with. [with]”, Explains the researcher.

Cloudflare issues many fixes to eliminate the bug

The researcher reported this vulnerability to Cloudflare through HackerOne’s vulnerability disclosure program on April 6, 2021 and saw the Cloudflare team apply an intermittent fix within hours.

The initial solution seen by BleepingComputer aims to resolve the symbolic link vulnerability:

Symbolic link fix applied by cdnjs
Initial fix applied by Cloudflare CDNJS (GitHub)

However, due to the complexity of the CDNJS ecosystem, a series of more specific arrangements were applied to different repositories over the next few weeks, according to the researcher.

RyotaK shared with Bleeping Computer that while the first solution focused on rejecting symbolic links (symbolic links) in Git repositories, it only fixed part of the problem.

“They first tried to reject the symbolic links, but they realized that the current bot design is too dangerous. So they isolated the most dangerous features.”

“And for other functions, applied AppArmors, “the researcher told BleepingComputer in an email interview.

Application Armor or AppArmor is a security feature that restricts the capabilities of programs running in Unix-based environments with predefined profiles so that programs do not inadvertently exceed their intended scope of access.

The researcher also shared a number of fixes with BleepingComputer implemented by Cloudflare to secure the automated bot that processes the updated libraries:

multiple fixes applied by cloudflare
Cloudflare makes various changes to CDNJS to resolve the bug

“While this vulnerability could be exploited without any special skills, it could affect many websites.”

“Since there are many vulnerabilities in the supply chain, which are easy to exploit but have a huge impact, I feel like it is very scary,” says RyotaK in his blog post.

As previously reported by Bleeping Computer, a Magecart supply chain attack that affected thousands of online stores was due to the compromise of Volusion’s CDN infrastructure.

The investigator praised Cloudflare’s swift incident response teams, who, within minutes of receiving the investigator’s report, rotated the leaked secrets and worked with him to study the PoC vulnerabilities.

Bleeping Computer approached Cloudflare to find out if this vulnerability had been widely exploited.

A Cloudflare spokesperson told Bleeping Computer that the vulnerability has not been exploited and that they are grateful to the researcher for reporting the issue.

“As can be seen from the report, automated systems detected the [researcher’s] work and revoke credentials immediately. “

“The investigator informed us of the findings on April 6 and we fixed the problem within 24 hours.”

“Also, it’s important to note that we’ll see more and more researchers posting things like this, especially as we expand our rewards program and make it more public over time.”

“We are happy to see researchers do this kind of testing, and have them share it with us. We want to see more of that,” Cloudflare told BleepingComputer.

Update 1:47 pm ET: Added statement from Cloudflare.

Advertisement
Advertisement

Lifestyle

LifeStyle1 week ago

How to Prioritize Self Care as a New Parent

A bundle of joy has joined you in your life and you couldn’t be happier. But, at the same time,...

LifeStyle1 week ago

5 Reasons Why You Can’t Stay Asleep

You have likely heard it most of your life: getting a good night’s sleep is important for your overall health....

LifeStyle2 weeks ago

4 Ways to Spread Joy This Fall

Traditionally, many people strive to spread as much joy as they can in the weeks leading up to Christmas. But...

LifeStyle4 weeks ago

Tips to Boost Your Energy and Ensure Life Longevity with NMN Supplements

Australia’s median age limit increased by two years recently. Higher NAD+ can improve your metabolism rates and prolong natural aging....

LifeStyle2 months ago

5 Tips on Writing APA Research Paper

When students reach college education, they understand that it won’t all be flowers and sunshine. There are different courses with...

Support group for businesses to overcome challenges Support group for businesses to overcome challenges
LifeStyle3 months ago

Support group for businesses to overcome challenges

All-day brunch and soup kitchen Cafe Coco suffered as walk-ins dwindled significantly. It’s a tourist-dependent cafe that’s nestled in the...

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods S’pore startup Shiok Meats acquires clean red meat company Gaia Foods
LifeStyle3 months ago

S’pore startup Shiok Meats acquires clean red meat company Gaia Foods

According to Technology in Asia, Shiok Meats has acquired a stake of more than 90% in Gaia Foods for an...

Marianna Hewitt’s home proves that neutral decor can be full of personality Marianna Hewitt’s home proves that neutral decor can be full of personality
LifeStyle3 months ago

Marianna Hewitt’s home proves that neutral decor can be full of personality

If anyone understands the importance of maintaining your brand, it is Marianna Hewitt. The trusted influencer and founder of the...

The 16 best stuffed pepper recipes for every occasion The 16 best stuffed pepper recipes for every occasion
LifeStyle3 months ago

The 16 best stuffed pepper recipes for every occasion

Something you may not know about me is that I absolutely adore a pepper. Raw, cooked, marinated, bathed: each and...

Top 10 Bedroom Plants That Work As Air Purifying Plants Top 10 Bedroom Plants That Work As Air Purifying Plants
LifeStyle3 months ago

Top 10 Bedroom Plants That Work As Air Purifying Plants

Setting a specific tone in a bedroom can happen in many ways. A beautiful candle, plush rugs, soft bedding, soothing...

Advertisement

Sport

Sports2 months ago

5 Tips for Setting Up Your PC for Online Gaming

Due to advances in technology, online gamers can enjoy a gaming experience that was unthinkable even a decade ago. High-resolution...

Sports2 months ago

How to Succeed in Poker Tournaments

Perhaps your first big poker tournament is coming up, or you’ve been gathering skills ready to enter – no matter...

Sports2 months ago

Is The Olympics Still Relevant?

As the Tokyo Olympics has come to a close, competitors must move on from the excitement of experiencing an Olympic...

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’ Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’
Sports3 months ago

Fernández reflects on the game against Dart: ‘Honestly, I can’t think of anything positive’

var adServerUrl = “”; var $ el = $ (“# video_container-985707”); var permalink = $ el.closest (‘. snet-single-article’). data (‘permalink’);...

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker Tammy Abraham to Roma – Mourinho is the perfect coach for the striker
Sports3 months ago

Tammy Abraham to Roma – Mourinho is the perfect coach for the striker

It seems that not too long ago, a young English Target Man was a troubling prospect for most Premier League...

Explanation: Why Barcelona had to let Messi go Explanation: Why Barcelona had to let Messi go
Sports3 months ago

Explanation: Why Barcelona had to let Messi go

Barcelona’s Argentine forward Lionel Messi cries during a press conference at Barcelona’s Camp Nou stadium on August 8, 2021. –...

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches? Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?
Sports3 months ago

Are Arsenal and Spurs left out of the top 6 in dispute as the 2021/22 season approaches?

Manchester United, Manchester City, Liverpool, Chelsea, Spurs and Arsenal are the teams that are widely regarded as the top 6...

What should team Canada’s men’s hockey roster look like? What should team Canada’s men’s hockey roster look like?
Sports3 months ago

What should team Canada’s men’s hockey roster look like?

We have sent an email with instructions to create a new password. Your current password has not been changed. We...

Haaland, but staying in Dotmund, can BVB get the title on 21/22? Haaland, but staying in Dotmund, can BVB get the title on 21/22?
Sports3 months ago

Haaland, but staying in Dotmund, can BVB get the title on 21/22?

There are almost twenty days left in the transfer window. The window is in full swing as deals that would...

Knicks agree to deal with Dwayne Bacon: reports Knicks agree to deal with Dwayne Bacon: reports
Sports3 months ago

Knicks agree to deal with Dwayne Bacon: reports

Dwayne Bacon # 8 of the Orlando Magic shoots as John Collins # 20 of the Atlanta Hawks defends during...

Advertisement

Entertainment

Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block Venice adds Doc ‘Ennio’;  Netflix Confirms Sanjay Leela Bhansali Series – News Block
Entertainment3 months ago

Venice adds Doc ‘Ennio’; Netflix Confirms Sanjay Leela Bhansali Series – News Block

Venice adds Giuseppe Tornatore’s Ennio Morricone film The Venice Film Festival incorporates the Out of Competition screening of Ennio Morricone’s...

The Jeffrey Epstein Victims Fund has finished paying $ 121 million The Jeffrey Epstein Victims Fund has finished paying $ 121 million
Entertainment3 months ago

The Jeffrey Epstein Victims Fund has finished paying $ 121 million

After awarding more than $ 121 million to about 150 applicants, a compensation program for survivors of Jeffrey Epstein’s sexual...

Matt Roloff and Karyn Chandler move in together, discuss marriage Matt Roloff and Karyn Chandler move in together, discuss marriage
Entertainment3 months ago

Matt Roloff and Karyn Chandler move in together, discuss marriage

Small people, big world star Matt Roloff and his girlfriend, Karyn Chandlerhave revealed their big summer plans in a new...

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’ Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’
Entertainment3 months ago

Mike Shouhed wants Reza Farahan to apologize for being a ‘traitor’

Shouhed says his Shahs of Sunset co-star “cuts deep and says things that are hard to forgive.” While a sexting...

Joey Lawrence and Samantha Cope are engaged Joey Lawrence and Samantha Cope are engaged
Entertainment3 months ago

Joey Lawrence and Samantha Cope are engaged

He put a ring on it! Joey lawrence is engaged to the actress Samantha cope one year after filing for...

Christine Applegate was diagnosed with multiple sclerosis Christine Applegate was diagnosed with multiple sclerosis
Entertainment3 months ago

Christine Applegate was diagnosed with multiple sclerosis

August 10, 2021 Christine Applegate was diagnosed with multiple sclerosis (MS). Christina Applegate The 49-year-old actress took to Twitter on...

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block
Entertainment3 months ago

UK advertisers form tapestry with clients Coel, Fassbender, Foy – News Block

EXCLUSIVE: UK advertisers Donna Mills and Emma Jackson, longtime representatives of London-based Premier Communications, have launched the new advertising agency...

Christina Applegate: actress reveals multiple sclerosis diagnosis Christina Applegate: actress reveals multiple sclerosis diagnosis
Entertainment3 months ago

Christina Applegate: actress reveals multiple sclerosis diagnosis

prime time Emmy-winning actor Christina applegate has revealed a multiple sclerosis condition through a Twitter post late on Monday night....

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018 Prince Harry and Meghan Markle wanted to move to New Zealand in 2018
Entertainment3 months ago

Prince Harry and Meghan Markle wanted to move to New Zealand in 2018

Prince harry and Meghan Markle according to Queen Elizabeth IIRepresentative to New Zealand, Governor General Patsy Reddy… She said Associated...

Alarming new UN climate report says humanity has really screwed itself up Alarming new UN climate report says humanity has really screwed itself up
Entertainment3 months ago

Alarming new UN climate report says humanity has really screwed itself up

The last evaluation of climate science is a “code red for humanity,” the United Nations chief said on Monday, while...

Advertisement

Tech

Tech7 days ago

How to Provide Cybersecurity for Firefox

Mozilla Firefox is one of the first browsers that come to mind when thinking about the best privacy-oriented browsers available...

Tech4 weeks ago

6 Important Questions to Ask Your Internet Provider

Choosing the best internet provider can be challenging, especially when you don’t know what questions to ask. You want to...

Tech1 month ago

How Serious is Plagiarism in College?

Studying in college often demands writing essays and course papers. You may study technical subjects and do not have many...

Tech1 month ago

Three Possible Ways of How You Can Transfer Contacts from Outlook to iPhone

MS Outlook plays an important role in putting daily life in order, especially with regard to email management. If you...

Tech1 month ago

Importance of Email Validation

According to recent stats, 30% of users change their email every year. Therefore, if your mailing list is more than...

Tech1 month ago

Before Doing Virtual Staging, Here’s What You Should Know

The majority of people today go online to look for homes. When a potential buyer spots a house online that...

Tech1 month ago

What Technologies are Online Casinos Using?

Online casinos have become an ideal choice for a lot of players, especially because they let players take their games...

Tech2 months ago

Grow Your Brand With These 5 Social Media Tips

Whether you’re operating a new business or working to grow your brand, social media is an excellent place to start....

Tech2 months ago

Is Mining Ethereum Still Profitable in 2021?

Globally, there have been lots of innovations and modernization in different aspects of life. This fact has contributed to the...

Tech2 months ago

Popularity Of the Blockchain Technology: How Familiar Are You with It?

Cryptocurrencies are a form of digital currency that stands out because it is decentralized. Cryptocurrency also stands out because it...

Advertisement
Advertisement