Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.
The researcher demonstrated how an attacker could have altered any library served by CDNJS or taken down the entire CDN infrastructure in a software supply chain attack.
The npm package used by RyotaK is called hey-sven and has since been tracked by Sonatype under sonatype-2021-0829.
This particular vulnerability, however, could be exploited by anyone looking to publish a new library to CDNJS using GitHub or npm.
Adding a new library to CDN with a path traversal exploit
In case of Cloudflare's CDNJS, anyone could request to have a new package added to the CDN by submitting the package to Cloudflare's GitHub repository:
Image: CDNJS search page showing the option to add new libraries that do not yet exist on the network.
However, the author of this newly published library could choose to release subsequent versions of the library on the npm registry. And these would automatically be fetched by CDNJS' bots.
For example, RyotaK was able to successfully publish a test library "hey-sven" on CDNJS by first submitting the library to the CDN's GitHub repo, and subsequently releasing future versions on the corresponding npm account:
As confirmed by the Sonatype security research team, versions 1.0.1 and 1.0.2 of "hey-sven" that appeared on npm contained proof-of-concept Bash exploits:
For those curious about what's inside these Bash scripts, Sonatype security researcher Sebastián Castro took a quick peak at these and found benign text:
Image: contents of the bash scripts (Sonatype)
That's because, as RyotaK told me, this was a Proof of Concept (PoC) package that he had already given Cloudflare a heads-up about. Out of caution, the researcher has not yet released the functional exploit that disclosed the CDN's API keys (mentioned below).
The vulnerability works as follows: as soon as CDNJS fetches a new release from npm its automated bots would unpack (unzip) the new version of the library, published as an npm package. That's because npm packages are really TAR.GZ archives.
Consequently, if a path traversal or ZIP Slip vulnerability exists on the server, an attacker could read or overwrite existing files.
As soon as RyotaK's PoC package was retrieved from npm by CDNJS' automated bots, the CDN spilled out secret API keys at a URL where scripts are supposed to be served: https://cdnjs.cloudflare.com/... (complete URL redacted).
Output from an initial PoC provided the researcher with secret keys Source: BleepingComputer
- GITHUB_REPO_API_KEY obtained from this exploit comes with "write" permissions, and an attacker could have used it to virtually tamper with any library present on CDNJS or the CDN’s entire website.
- WORKERS_KV_API_TOKEN secret obtained could enable adversaries to purge or alter any libraries living in the caches of Cloudflare Workers.
The researcher explained, "by combining these permissions, the core part of CDNJS, such as the origin data of CDNJS, the KV cache, and even the CDNJS website, could be completely tampered [with]."
A potential software supply chain disaster thwarted
RyotaK responsibly reported the vulnerability to Cloudflare in April 2021 and worked with their security teams over the next few weeks. This action helped safeguard the sanctity of the CDNJS ecosystem and the wider software supply chain.
Despite this, CDNs remain an attractive target for adversaries as they host thousands of commonly used libraries in active use by millions of websites. Should even one popular library be altered by a malicious entity, there are big rewards for an attacker and major problems for CDN users.
For example, in 2019, Volusion CDN's compromise led to a Magecart supply chain attack against thousands of e-commerce websites relying on the network.
This latest incident serves as another reminder of how even decades-old vulnerabilities and exploits like path traversal or ZIP Slip can re-emerge. Should bad actors get their hands on them, the consequences are unimaginable.
The widespread adoption of open source continues to grow. With more and more enterprises taking the open source software route for both their products and the components they consume, so does the attack surface.