RCE vulnerability in Cloudflare CDN could have allowed complete compromise of websites

Author

Original post of this article

RCE vulnerability in Cloudflare CDN could have allowed complete compromise of websites


Jessica Haworth

16 July 2021 at 14:09 UTC

Updated: 16 July 2021 at 14:22 UTC

Issue has now been patched

A vulnerability in a Cloudflare content delivery network could allow an attacker to takeover a website

A remote code execution (RCE) vulnerability in a Cloudflare content delivery network service could allow an attacker to gain complete control over its customer’s websites.

The vulnerability is present in cdnjs, which is a JavaScript/CSS library used by 12.7% of all websites on the internet.

It was discovered by researcher ‘RyotaK’, who disclosed the bug under Cloudflare’s vulnerability disclosure program.

RELATED Web cache poisoning offers fresh ways to smash through the web stack

In a blog post, RyotaK explained how the vulnerability could be exploited to achieve full takeover of cdnjs – allowing an attacker to “tamper [with] 12.7% of all websites on the internet once caches are expired”.

Attack mode

Users are able to request libraries that don’t yet exist in cdjns, RyotaK found. In addition, he found that the libraries cdnjs/bot-ansible and cdnjs/tools include an auto-update script that enables the automatic retrieval of library updates.

He wrote: “After reading [the] codes of these two repositories, it turned out cdnjs/bot-ansible executes autoupdate command of cdnjs/tools in the cdnjs library update server periodically, to check updates of library from cdnjs/packages by downloading [the] npm package / Git repository.”

Read more of the latest security vulnerability news

After studying the cdnjs/bot-ansible, RyotaK found that some scripts were running regularly and that any user that runs the autoupdate command had write permission for them. RyotaK decided to try overwriting files via path traversal.

He was able to perform path traversal and overwrite the script that is executed regularly on the server, allowing arbitrary code to be executed.

Easy to abuse flaw affected ‘many’ websites

RyotaK demonstrated the vulnerability in the blog post, which contains a detailed technical explanation of the steps needed to achieve RCE.

“To be clear, I didn’t achieve code execution on their server,” he told The Daily Swig. “As the Cloudflare security team helped me to reproduce it, I didn’t have to overwrite actual files.”

RyotaK also warned that, while the exploit was “easy” to find and didn’t require any special skills, it could impact “many” websites.

“Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary,” he said.

The researcher praised Cloudflare for their response to his disclosure, adding: “Their response was so fast and I feel they’re great security team.”

YOU MAY ALSO LIKE AWS CloudFront API: Research reveals ‘leak’ of partial account IDs

More
articles