View all on-demand sessions from the Intelligent Security Summit here.
Unlike sensitive data breaches or ransomware attacks, denial of service (DoS) exploits aim to disable services and make them completely inaccessible.
Several such attacks have occurred in recent history; last June, for example, Google blocked which was the largest distributed denial of service (DDoS) attack in history at the time. Akami then broke that record in September when it detected and mitigated an attack in Europe.
In a recent development Legitimate security today announced the discovery of an easily exploitable DoS vulnerability in markdown libraries used by GitHub, GitLab and other applications, using a popular markdown rendering service called commonmarker.
“Imagine taking GitHub down for a while,” said Liav Caspi, co-founder and CTO of the software supply chain security platform. “This could be a major global disruption and close most software development shops. The impact would probably be unprecedented.”
Contents
Event
Intelligent Security Summit on demand
Learn the critical role of AI and ML in cybersecurity and industry-specific case studies. Check out on-demand sessions today.
Look here
GitHub, which did not respond to requests for comment from VentureBeat, has posted a formal confirmation and repair.
Denial of service target: Disruption
Both DoS and DDoS overloads a server or web app for the purpose of interrupting services.
As Fortinet describes, DoS does this by flooding a server with traffic and making a website or resource unavailable; DDoS uses multiple computers or machines to flood a targeted resource.
And there’s no doubt they’re on the rise — steep, even. Cisco noted a 776% year-over-year growth in attacks from 100 to 400 gigabits per second between 2018 and 2019. The company estimates that the total number of DDoS attacks will double from 7.9 million in 2018 to 15.4 million this year .
But while DDoS attacks are not always intended to score sensitive data or hefty ransom payments, they are nevertheless costly. Per Gartner research, the average cost of IT downtime is $5,600 per minute. Depending on the size of the organization, the cost of downtime can range from $140,000 to as much as $5 million per hour.
And with so many apps containing open-source code – a whopping 97% through one guess — Organizations lack full visibility of their security posture and potential gaps and vulnerabilities.
Indeed, open-source libraries are “ubiquitous” in modern software development, Caspi said — so when vulnerabilities emerge, they can be very difficult to trace due to unverified copies of the original vulnerable code. When a library becomes popular and widespread, a vulnerability can allow an attack on countless projects.
“Those attacks could include disruption of critical business services,” says Caspi, “such as crippling the software supply chain and the ability to release new business applications.”
Vulnerability exposed
As Caspi explained, markdown refers to creating formatted text using a regular text editor commonly found in software development tools and environments. A wide variety of applications and projects implement these popular open-source markdown libraries, such as the popular variant found in GitHub’s implementation, called GitHub Flavored Markdown (GFM).
A copy of the vulnerable GFM implementation was found in common marking, the popular Ruby package that implements markdown support. (This has over 1 million dependent repositories.) Coined “MarkDownTime,” this allows an attacker to launch a simple DoS attack that would shut down enterprise digital services by disrupting application development pipelines, Caspi said.
Legit Security researchers discovered that it was easy to cause unlimited resource exhaustion, leading to a DoS attack. Any product that can read and display markdown (*.md files) and uses a vulnerable library could be targeted, he explained.
“In some cases, an attacker could continuously use this vulnerability to keep the service down until it is completely blocked,” said Caspi.
He explained that the Legit Security research team was investigating vulnerabilities in GitHub and GitLab as part of its ongoing investigation into software supply chain security. They disclosed the vulnerability to the commonmarker maintainer, as well as both GitHub and GitLab.
“They all fixed the issues, but many more instances of this markdown implementation have been implemented and are in use,” said Caspi.
As such, “precautionary and mitigating measures must be taken.”
Strong controls, visibility
To protect themselves against this vulnerability, organizations should upgrade to a more secure version of the markdown library and upgrade any vulnerable product such as GitLab to the latest version, Caspi advised.
And when it comes to protecting against attacks on the software supply chain, organizations should generally have better security controls over the third-party software libraries they use. Protection also includes continuously checking for known vulnerabilities and then upgrading to more secure versions.
The reputation and popularity of open source software should also be considered – in particular, avoid unmaintained or low-reputation software. And always keep SDLC systems like GitLab up to date and securely configured, Caspi said.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.
Janice has been with businesskinda for 5 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider businesskinda team, Janice seeks to understand an audience before creating memorable, persuasive copy.