Internet infrastructure and web site safety firm Cloudflare final month mounted a important vulnerability in its CDNJS library that is used by 12.7% of all websites on the web.
The weak point involved a problem within the CDNJS library replace server that might probably permit an attacker to execute arbitrary instructions, main to an entire compromise.
The vulnerability was found and reported by safety researcher RyotaK on April 6, 2021. There isn’t any proof of in-the-wild assaults abusing this flaw.
Particularly, the vulnerability works by publishing packages to Cloudflare’s CDNJS utilizing GitHub and npm, utilizing it to set off a path traversal vulnerability, and finally trick the server into executing arbitrary code, thus reaching distant code execution.
It is value noting that the CDNJS infrastructure consists of options to automate library updates by periodically operating scripts on the server to obtain related recordsdata from the respective user-managed Git repository or npm bundle registry.
By uncovering a problem with how the mechanism sanitizes bundle paths, RyotaK found that “arbitrary code may be executed after performing path traversal from the .tgz file printed to npm and overwriting the script that’s executed frequently on the server.”
In different phrases, the aim of the assault is to publish a brand new model of a specially-crafted bundle to the repository, which is then picked up the CDNJS library replace server for publishing, within the course of copying the contents of the malicious bundle right into a frequently executed script file hosted on the server, thereby gaining arbitrary code execution.
“Whereas this vulnerability might be exploited with none particular abilities, it might affect many web sites,” RyotaK mentioned. “Provided that there are lots of vulnerabilities within the provide chain, that are straightforward to use however have a big affect, I really feel that it is very scary.”
This isn’t the primary time the safety researcher has uncovered code execution flaws in the best way updates to software program repositories are dealt with. In April 2021, RyotaK disclosed a critical vulnerability within the official Homebrew Cask repository might have been exploited by an attacker to execute arbitrary code on customers’ machines.