Compromise of Cloudflare vulnerability of 12% of all websites



Cloudflare recently revealed a vulnerability that could have resulted in successful cyberattacks on millions of websites (12.7% of ALL websites to be precise) that rely on the JavaScript and CSS libraries found on cdnjs, a distribution network of Open source content (CDN) hosted by the CDN service provider.

Fortunately, there is no evidence (so far) that cybercriminals have exploited the vulnerability. But the fact that this serious vulnerability has most likely been present for some time is in itself alarming, let alone the “what if” scenarios.

cdnjs includes over 4000 JavaScript and CSS libraries that software developers can access free of charge. Libraries are publicly stored on GitHub, a popular software development platform, and are hosted by Cloudflare.

The flaw could have allowed hackers to execute arbitrary commands and compromise the entire cdnjs library. This was a “path traversal vulnerability”, a flaw that allows attackers to retrieve arbitrary files from the server’s file system, in directories other than the one where the current resource is located. access. Since many operating systems store critical information in standard directories – for example Unix-based systems store passwords in “/ etc / passwd” – hackers might guess the names of directories containing sensitive information that would allow them to take control of a system.

The sheer magnitude of the “could have been” is truly frightening. The exploit could have been initiated by publishing packages to cdnjs via GitHub and npm. Since cdnjs uses an automated library update, the flaw could have spread to any of the millions of websites that rely on cdnjs.

The flaw was NOT discovered by GitHub or Cloudflare; instead, it was discovered by an independent researcher who blogs under the name “RyotaK”. The researcher participated in a Cloudflare-sponsored “vulnerability disclosure program” on HackerOne, which allows hackers to conduct independent vulnerability assessments and report their findings to Cloudflare.

The vulnerability had been there for at least two months: RyotaK notified Cloudflare of the flaw on April 6, 2021, and the company did not apply a full patch until June 3, although a secondary patch was applied the next day. April 7. Additionally, when RyotaK demonstrated the vulnerability by exploiting it, GitHub recognized that there was an issue and sent an alert to Cloudflare. However, hackers who, unlike RyotaK, were concerned about detection could have exploited the vulnerability in a way that would not have raised alerts.

In cases where the IT infrastructure contains or propagates vulnerabilities, it is very difficult for an individual business to protect itself. In this case, up to 12% of websites could have been compromised, perhaps becoming distributors of malware to endpoints and networks themselves, through the web browsers of users unlucky enough to visit the website. pirate. Sites that were “known” on the basis of reputation information and therefore authorized by SWGs (Secure Web Gateways) could potentially have become very bad overnight.

Some organizations, where the magnitude of this type of threat is well understood, have adopted a web access strategy that we call “Total Isolation.” In this scenario, all web traffic for all users, regardless of the risk profile of each site, is browsed through a technology called Remote Browser Isolation (RBI). RBI protects endpoints and networks from malicious code embedded in websites by isolating all web content in a container located in the cloud. Only clean render data is passed to the user’s standard endpoint browser, where it interacts as it would directly with the site. Since no web content arrives at the endpoint, no malware that may be hidden in CSS, JavaScript, or any other resource can compromise the user’s device (or the network they are connected to).

Almost two years ago, Gartner mentioned in its SWG Magic Quadrant report that some very security-conscious organizations have completely replaced their SWGs with RBI technology. Announcements like Cloudflare’s recent one support the wisdom of this strategy. The cdnjs vulnerability highlights the need for a strong and multifaceted approach to cybersecurity.

One thing’s for sure (with death and taxes): Web-related vulnerabilities will always exist (in addition to those associated with web browsers themselves according to Nick Kael’s recent blog post on Chrome Zero Days). As such, network security professionals need to bring their “A-game” to web security. And website owners should make sure to keep an eye on their software supply chain vendors and act quickly and responsibly to patch to any vulnerabilities that arise.

Cloudflare Vulnerability Enabled Post Compromise of 12% of all websites appeared first on Ericom Blog.

*** This is a syndicated Security Bloggers Network blog from Ericom Blog written by GERRY GREALISH. Read the original post at: -12-of-all-sites



About Author

Leave A Reply