Issue has now been patched
A remote code execution (RCE) vulnerability in a Cloudflare content delivery network service could allow an attacker to gain complete control over its customer’s websites.
It was discovered by researcher ‘RyotaK’, who disclosed the bug under Cloudflare’s vulnerability disclosure program.
In a blog post, RyotaK explained how the vulnerability could be exploited to achieve full takeover of cdnjs – allowing an attacker to “tamper [with] 12.7% of all websites on the internet once caches are expired”.
Users are able to request libraries that don’t yet exist in cdjns, RyotaK found. In addition, he found that the libraries cdnjs/bot-ansible and cdnjs/tools include an auto-update script that enables the automatic retrieval of library updates.
He wrote: “After reading [the] codes of these two repositories, it turned out cdnjs/bot-ansible executes autoupdate command of cdnjs/tools in the cdnjs library update server periodically, to check updates of library from cdnjs/packages by downloading [the] npm package / Git repository.”
After studying the cdnjs/bot-ansible, RyotaK found that some scripts were running regularly and that any user that runs the autoupdate command had write permission for them. RyotaK decided to try overwriting files via path traversal.
He was able to perform path traversal and overwrite the script that is executed regularly on the server, allowing arbitrary code to be executed.
Easy to abuse flaw affected ‘many’ websites
RyotaK demonstrated the vulnerability in the blog post, which contains a detailed technical explanation of the steps needed to achieve RCE.
“To be clear, I didn’t achieve code execution on their server,” he told The Daily Swig. “As the Cloudflare security team helped me to reproduce it, I didn’t have to overwrite actual files.”
RyotaK also warned that, while the exploit was “easy” to find and didn’t require any special skills, it could impact “many” websites.
“Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary,” he said.
The researcher praised Cloudflare for their response to his disclosure, adding: “Their response was so fast and I feel they’re great security team.”
YOU MAY ALSO LIKE AWS CloudFront API: Research reveals ‘leak’ of partial account IDs