Remote Browser Isolation

Cloudflare Vulnerability Enabled Compromise of 12% of All Websites

Cloudflare recently disclosed a vulnerability that could have resulted in successful cyberattacks on the millions of websites (12.7% of ALL websites to be precise) that rely on JavaScript and CSS libraries found on cdnjs, an open-source content delivery network (CDN) hosted by the CDN service provider.

Fortunately, there is no evidence (so far) that cybercriminals have exploited the vulnerability. But the fact that this serious vulnerability was most likely present for quite some time is in itself alarming, to say nothing of the “what-if” scenarios.

cdnjs includes over 4,000 JavaScript and CSS libraries that software developers can access for free. The libraries are stored publicly on GitHub, a popular software development platform, and are hosted by Cloudflare.

The flaw could have allowed hackers to execute arbitrary commands and compromise the complete cdnjs library. It was a “path traversal vulnerability,” a flaw that allows attackers to retrieve arbitrary files from the server’s filesystem, in directories other than the one where the resource being accessed is located. Since many operating system store critical information in standard directories – for example Unix-based systems store passwords in “/etc/passwd” – hackers could guess the names of directories containing sensitive information that would allow them to take over a system.

The sheer magnitude of the “could-have-beens” is truly frightening. The exploit could have been launched by publishing packages to cdnjs via GitHub and npm. Since cdnjs uses an automated library update, the flaw could have propagated to every one of the millions of websites that rely on cdnjs.

The flaw was NOT discovered by GitHub or Cloudflare; instead, it was discovered by an independent researcher who blogs under the name “RyotaK.” The researcher participated in a Cloudflare-sponsored “Vulnerability Disclosure Program” on HackerOne, which allows white-hat hackers to conduct independent vulnerability assessments and report their findings to Cloudflare.

The vulnerability was out there for at least two months: RyotaK told Cloudflare about the flaw on April 6, 2021, and the company did not apply a complete fix until June 3, although a secondary fix was applied the very next day, on April 7. In addition, when RyotaK demonstrated the vulnerability by exploiting it, GitHub recognized that there was an issue and sent an alert to Cloudflare. However, hackers that, unlike RyotaK, were concerned with detection might have been able to exploit the vulnerability in ways that would not have triggered alerts.

In cases where IT infrastructure contains—or spreads–vulnerabilities, it is very difficult for an individual company to protect itself. In this case, up to 12% of websites could have been compromised, perhaps themselves becoming distributors of malware to endpoints and networks, via web browsers of users unfortunate enough to visit the hacked website. Sites that had been “known good” based on reputational information and hence allow-listed by SWGs (secure web gateways) could potentially have become very bad overnight.  

Some organizations, where the magnitude of just this sort of threat is well understood, have moved to adopt a web access strategy that we call “Full Isolation.” In this scenario, all web traffic of all users, regardless of each site’s risk profile, is browsed via a technology called Remote Browser Isolation (RBI). RBI protects endpoints and networks from malicious code embedded on websites by isolating all web content in a container located in the cloud. Only clean rendering data is streamed to the user’s standard endpoint browser, where they interact just as they would directly with the site. Since no web content comes onto the endpoint, any malware that may be hidden in CSS, JavaScript, or any other resource cannot compromise the user’s device (or the network it is attached to).

Nearly two years ago, Gartner mentioned in its SWG Magic Quadrant report that some highly security-conscious organizations were starting to aggressively move to implement RBI technology to bolster their web security. Announcements like the recent one from Cloudflare support the wisdom of this strategy. The cdnjs vulnerability highlights the need to take a strong, multifaceted approach to cybersecurity.

One thing is for certain (along with death and taxes): Web-related vulnerabilities will always exist (in addition to those associated with web browsers themselves per Nick Kael’s recent blog on Chrome Zero Days). As such, network security professionals need to bring their “A-game” to web security. And website owners must make sure to keep tabs on their software supply chain providers and act rapidly and responsibly to apply patches to address the vulnerabilities that arise.

Gerry Grealish

Gerry Grealish

Chief Marketing Officer | Ericom Software
Gerry is a security industry veteran, bringing over 20 years of Marketing and product experience in cybersecurity and related technologies. Responsible for marketing and business development, Gerry previously was at Symantec, where he was responsible for the go-to-market activities for the company’s Network Security portfolio. Prior to Symantec, Gerry was at Blue Coat, which he joined as part of Blue Coat’s acquisition of venture-backed CASB innovator, Perspecsys, where he was CMO.