RCE in Cdnjs and What It Means to You

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
3 Min read

Last week, a researcher named RyotaK shared a clever supply chain vulnerability in Cloudflare’s highly popular hosted module called cdnjs, which runs on around 12% of all sites on the web. The module helps developers consume other popular packages and integrate them safely into their sites. 

The vulnerability was in the cdnjs library update server and could have led to remote code execution on both Cloudflare’s servers and run malicious code on the scripts themselves which are consumed by all end users, bypassing WAFs and any other filtering mechanisms as it runs directly on the browser itself. 

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs 
by over 50%

You can read a detailed description of the vulnerability here

How 3rd party scripts facilitate supply-chain attacks

3rd parties are becoming extremely common and most sites use them today. In this case, the attacker could use a supply-chain attack to modify 3rd party scripts. In other cases, like magecart (add link to something about magecart) – an attacker modified the script directly and injected code into the end users browsers.

3rd party scripts (chat features, accessibility features, tracking and many more) usually make their way to your web asset via a “tag manager”. Tag managers integrate complex javascripts into your website code quickly, without integration efforts- but also with essentially no security controls. You might not be aware of the vulnerabilities it creates, but those scripts are popular targets for malicious actors as once they compromise one, they eventually comprise a large number of sites.

Take the Magecart 3rd party javascript attack on British Airways back in 2018. The attackers hacked BA’s payment form through a compromised 3rd party javascript vendor. The script tag they injected was simple – just 22 lines of code. It acted as a digital card skimmer and directed some 420,000 users to a fraudulent website, where their PII was harvested over 15 days. 

Differently, yet similarly, hundreds of thousands of Israeli websites were defaced in a 2019 fourth-party attack. Attackers hacked the accessibility add-on “Nagish” via its compromised hosting company and changed its DNS record. The code injected into the Nagish javascript was able to deface those websites. 

Essentially, the cause and effect in both cases are the same: blindly running untrusted code on your end-users browsers. 

How to minimize your attack surface

DIY solutions

These require some legwork, but are available freely:

  1. Use Subresource Integrity hashes for all external content, and demand those from your 3rd party script vendor. You can also generate your own by using openssl or SRI Hash Generator 
  2. Collect CSP reports, whitelist 3rd parties and enforce strict Hash/Nonce-based CSP – https://web.dev/strict-csp/

Managed Solutions

In GlobalDots, we’re in a unique position to offer holistic web security solutions that prevent and intercept supply chain attacks, as well as other forms of web-borne attacks. Our solutions offer autonomous monitoring, detection and prevention of client side attacks.

While solutions differ in their modus operandi, the end result is the same: They allow you to monitor your end users’ requests and permissions, how your 3rd party scripts are run, and what they are allowed and not allowed to do, in <1 day deployment. 

Your ideal solution depends on your business and risk profile. It’s our job to analyze them, implement the best choice, and configure it for utmost protection and flexibility at work.

Contact us for effortless, worriless security of your web assets.

Latest Articles

How Separating Data & Network Security Protects Your Supply Chain

Software supply chain security is an enormous concern for businesses today. According to a 2021 Argon cybersecurity report, software supply chain attacks increased threefold in 2021 compared to the previous year.  The constant race of companies to do things faster while delivering a better, richer user experience adds a multitude of vulnerabilities to the supply […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
9th May, 2022
Making Cloud Compliance Easy

The Challenge: Dealing with the Back-and-Forth There are so many shared challenges when it comes to cloud compliance. The constant back-and-forth with the auditor has become a draining routine. As you dart through digital archives for necessary audit evidence, precious minutes slip away from your actual duties. Each passing hour pulls you further from your […]

16th October, 2023
8 best practices to prevent SQL injection attacks

SQL injection is one of the most dangerous vulnerabilities for online applications. It occurs when a user adds untrusted data to a database query. For instance, when filling in a web form. If SQL injection is possible, smart attackers can create user input to steal valuable data, bypass authentication, or corrupt the records in your […]

30th June, 2023
Long-Term LastPass Breach Sounds Alarm For Static Credentials

LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security.  The Year-Long LastPass Dual Breach  In August 2022, LastPass released […]

Beshoy Halim Cloud Engineer @ GlobalDots
2nd March, 2023

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential