Cloudflare has fixed a critical vulnerability in its free and open source CDNJS that could affect 12.7% of all websites In Internet.
The vulnerability exploits comprised publishing packages to Cloudflare’s CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability and ultimately remote code execution.
If exploited, the vulnerability would lead to a total compromise of the CDNJS infrastructure.
From “ZIP Slip” to remote code execution
This week, security researcher RyotaK explains how he was able to find a method to fully compromise Cloudflare’s CDNJS network while investigating supply chain attacks.
CDNs can become a target choice for adversaries as, if compromised, the attack can have far-reaching consequences for many websites, online stores, and their customers.
While looking at cdnjs.com, RyotaK noted that for libraries that did not yet exist on CDNJS, it might suggest adding a new library via CDNJS. GitHub repository.
After exploring this GitHub repository and the adjacent ones that together make the CDNJS ecosystem work, RyotaK discovered a way to trick servers into running arbitrary code.
These scripts would periodically update the CDNJS server with newer versions of the software libraries published by their authors in the corresponding npm registry.
In other words, for each library published to the CDNJS GitHub repository, its most recent version would be downloaded from the linked npm registry, and the author of the library would also keep the npm version.
RyotaK wondered what would happen if a library it had published on CDNJS had a corresponding npm version containing a Route crossing exploit.
Note that npm packages are published as TGZ files (.tar.gz) that can be easily created with hidden path exploits.
The researcher first published a test library called hey-sven to CDNJS using GitHub, and then started releasing new versions of “hey-sven” in the npm registry.
These distinct routes are nothing more than Path Traversal exploits hidden within ZIP / TGZ archives, a concept popularized in 2018 as “ZIP Slip”.
After the CDNJS servers processed the created “hey-sven” npm files, the content of these bash scripts would run on the server.
But, the researcher didn’t want to accidentally overwrite an existing script, so he first used a symbolic link vulnerability to read the contents of the file that you were about to overwrite, during this proof of concept (PoC).
“As Git supports symbolic links by default, it is possible to read arbitrary files from the update server of the cdnjs library by adding a symbolic link in the Git repository.”
“If the script file that runs regularly is overwritten to execute arbitrary commands, the automatic update function may fail, so I decided to check the arbitrary file for reading first,” said the researcher.
As soon as your created PoC hit the server, RyotaK was able to unexpectedly dump sensitive secrets like GITHUB_REPO_API_KEY and WORKERS_KV_API_TOKEN in scripts provided by the CDN at https: //cdnjs.cloudflare.com / …
GITHUB_REPO_API_KEY is an API key that grants write permissions, allowing an attacker to alter any library in the CDNJS, or alter the cdnjs.com website itself!
WORKERS_KV_API_TOKEN secret, on the other hand, could be used to manipulate the libraries present in the Cloudflare Workers cache.
“By combining these permissions, the core part of CDNJS, such as the CDNJS source data, the KV cache, and even the CDNJS website, could be completely tampered with. [with]”, Explains the researcher.
Cloudflare issues many fixes to eliminate the bug
The researcher reported this vulnerability to Cloudflare through HackerOne’s vulnerability disclosure program on April 6, 2021 and saw the Cloudflare team apply an intermittent fix within hours.
The initial solution seen by BleepingComputer aims to resolve the symbolic link vulnerability:
However, due to the complexity of the CDNJS ecosystem, a series of more specific arrangements were applied to different repositories over the next few weeks, according to the researcher.
RyotaK shared with Bleeping Computer that while the first solution focused on rejecting symbolic links (symbolic links) in Git repositories, it only fixed part of the problem.
“They first tried to reject the symbolic links, but they realized that the current bot design is too dangerous. So they isolated the most dangerous features.”
“And for other functions, applied AppArmors, “the researcher told BleepingComputer in an email interview.
Application Armor or AppArmor is a security feature that restricts the capabilities of programs running in Unix-based environments with predefined profiles so that programs do not inadvertently exceed their intended scope of access.
The researcher also shared a number of fixes with BleepingComputer implemented by Cloudflare to secure the automated bot that processes the updated libraries:
“While this vulnerability could be exploited without any special skills, it could affect many websites.”
“Since there are many vulnerabilities in the supply chain, which are easy to exploit but have a huge impact, I feel like it is very scary,” says RyotaK in his blog post.
As previously reported by Bleeping Computer, a Magecart supply chain attack that affected thousands of online stores was due to the compromise of Volusion’s CDN infrastructure.
The investigator praised Cloudflare’s swift incident response teams, who, within minutes of receiving the investigator’s report, rotated the leaked secrets and worked with him to study the PoC vulnerabilities.
Bleeping Computer approached Cloudflare to find out if this vulnerability had been widely exploited.
A Cloudflare spokesperson told Bleeping Computer that the vulnerability has not been exploited and that they are grateful to the researcher for reporting the issue.
“As can be seen from the report, automated systems detected the [researcher’s] work and revoke credentials immediately. “
“The investigator informed us of the findings on April 6 and we fixed the problem within 24 hours.”
“Also, it’s important to note that we’ll see more and more researchers posting things like this, especially as we expand our rewards program and make it more public over time.”
“We are happy to see researchers do this kind of testing, and have them share it with us. We want to see more of that,” Cloudflare told BleepingComputer.
Update 1:47 pm ET: Added statement from Cloudflare.