Fortunately, there is no evidence (so far) that cybercriminals have exploited the vulnerability. But the fact that this serious vulnerability was most likely present for quite some time is in itself alarming, to say nothing of the “what-if” scenarios.
The flaw could have allowed hackers to execute arbitrary commands and compromise the complete cdnjs library. It was a “path traversal vulnerability,” a flaw that allows attackers to retrieve arbitrary files from the server’s filesystem, in directories other than the one where the resource being accessed is located. Since many operating system store critical information in standard directories – for example Unix-based systems store passwords in “/etc/passwd” – hackers could guess the names of directories containing sensitive information that would allow them to take over a system.
The sheer magnitude of the “could-have-beens” is truly frightening. The exploit could have been launched by publishing packages to cdnjs via GitHub and npm. Since cdnjs uses an automated library update, the flaw could have propagated to every one of the millions of websites that rely on cdnjs.
The flaw was NOT discovered by GitHub or Cloudflare; instead, it was discovered by an independent researcher who blogs under the name “RyotaK.” The researcher participated in a Cloudflare-sponsored “Vulnerability Disclosure Program” on HackerOne, which allows white-hat hackers to conduct independent vulnerability assessments and report their findings to Cloudflare.
The vulnerability was out there for at least two months: RyotaK told Cloudflare about the flaw on April 6, 2021, and the company did not apply a complete fix until June 3, although a secondary fix was applied the very next day, on April 7. In addition, when RyotaK demonstrated the vulnerability by exploiting it, GitHub recognized that there was an issue and sent an alert to Cloudflare. However, hackers that, unlike RyotaK, were concerned with detection might have been able to exploit the vulnerability in ways that would not have triggered alerts.
In cases where IT infrastructure contains—or spreads–vulnerabilities, it is very difficult for an individual company to protect itself. In this case, up to 12% of websites could have been compromised, perhaps themselves becoming distributors of malware to endpoints and networks, via web browsers of users unfortunate enough to visit the hacked website. Sites that had been “known good” based on reputational information and hence allow-listed by SWGs (secure web gateways) could potentially have become very bad overnight.
Nearly two years ago, Gartner mentioned in its SWG Magic Quadrant report that some highly security-conscious organizations were starting to aggressively move to implement RBI technology to bolster their web security. Announcements like the recent one from Cloudflare support the wisdom of this strategy. The cdnjs vulnerability highlights the need to take a strong, multifaceted approach to cybersecurity.
One thing is for certain (along with death and taxes): Web-related vulnerabilities will always exist (in addition to those associated with web browsers themselves per Nick Kael’s recent blog on Chrome Zero Days). As such, network security professionals need to bring their “A-game” to web security. And website owners must make sure to keep tabs on their software supply chain providers and act rapidly and responsibly to apply patches to address the vulnerabilities that arise.