Denial of service vulnerability discovered in libraries used by GitHub and others
Check out all the on-demand sessions from the Intelligent Security Summit here.
Unlike breaches targeting sensitive data or ransomware attacks, denial of service (DoS) exploits aim to take down services and make them wholly inaccessible.
Several such attacks have occurred in recent memory; last June, for instance, Google blocked what at that point was the largest distributed denial of service (DDoS) attack in history. Akami then broke that record in September when it detected and mitigated an assault in Europe.
In a recent development, Legit Security today announced its discovery of an easy-to-exploit DoS vulnerability in markdown libraries used by GitHub, GitLab and other applications, using a popular markdown rendering service called commonmarker.
“Imagine taking down GitHub for some time,” said Liav Caspi, cofounder and CTO of the software supply chain security platform. “This could be a major global disruption and shut down most software development shops. The impact would likely be unprecedented.”
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
GitHub, which did not respond to requests for comment by VentureBeat, has posted a formal acknowledgement and fix.
Denial of service aim: Disruption
Both DoS and DDoS overload a server or web app with an aim to interrupt services.
As Fortinet describes it, DoS does this by flooding a server with traffic and making a website or resource unavailable; DDoS uses multiple computers or machines to flood a targeted resource.
And, there’s no question that they are on the rise — steeply, in fact. Cisco noted a 776% year-over-year growth in attacks of 100 to 400 gigabits per second between 2018 and 2019. The company estimates that the total number of DDoS attacks will double from 7.9 million in 2018 to 15.4 million this year.
But although DDoS attacks aren’t always intended to score sensitive data or hefty ransom payouts, they nonetheless are costly. Per Gartner research, the average cost of IT downtime is $5,600 per minute. Depending on organization size, the cost of downtime can range from $140,000 to as much as $5 million per hour.
And, with so many apps incorporating open-source code — a whopping 97% by one estimate — organizations don’t have full visibility of their security posture and potential gaps and vulnerabilities.
Indeed, open-source libraries are “ubiquitous” in modern software development, said Caspi — so when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of the original vulnerable code. When a library becomes popular and widespread, a vulnerability could potentially enable an attack on countless projects.
“Those attacks can include disruption of critical business services,” said Caspi, “such as crippling the software supply chain and the ability to release new business applications.”
As Caspi explained, markdown refers to creating formatted text using a plain text editor commonly found in software development tools and environments. A wide range of applications and projects implement these popular open-source markdown libraries, such as the popular variant found in GitHub’s implementation called GitHub Flavored Markdown (GFM).
A copy of the vulnerable GFM implementation was found in commonmarker, the popular Ruby package implementing markdown support. (This has more than 1 million dependent repositories.) Coined “MarkDownTime,” this allows an attacker to deploy a simple DoS attack that would shut down digital business services by disrupting application development pipelines, said Caspi.
Legit Security researchers found that it was simple to trigger unbounded resource exhaustion leading to a DoS attack. Any product that can read and display markdown (*.md files) and uses a vulnerable library can be targeted, he explained.
“In some cases, an attacker can continuously utilize this vulnerability to keep the service down until it is entirely blocked,” said Caspi.
He explained that Legit Security’s research team was looking into vulnerabilities in GitHub and GitLab as part of its ongoing software supply chain security research. They have disclosed the security issue to the commonmarker maintainer, as well as to both GitHub and GitLab.
“All of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use,” said Caspi.
As such, “precaution and mitigation measures should be employed.”
Strong controls, visibility
To protect themselves against this vulnerability, organizations should upgrade to a safer version of the markdown library and upgrade any vulnerable product like GitLab to the newest version, Caspi advised.
And, generally speaking, when it comes to guarding against software supply chain attacks, organizations should have better security controls over the third-party software libraries they use. Protection also involves continuously checking for known vulnerabilities, then upgrading to safer versions.
Also, the reputation and popularity of open-source software should be considered — in particular, avoid unmaintained or low-reputable software. And, always keep SDLC systems like GitLab up to date and securely configured, said Caspi.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.