Check out all the on-demand sessions from the Intelligent Security Summit here<\/a><\/em>.<\/p>\n

\n<\/div>\n
Unlike breaches targeting sensitive data or ransomware attacks, denial of service (DoS) exploits aim to take down services and make them wholly inaccessible.\u00a0<\/p>\n
Several such attacks have occurred in recent memory; last June, for instance, Google blocked<\/a> what at that point was the largest distributed denial of service (DDoS)<\/a> attack in history. Akami<\/a> then broke that record in September when it detected and mitigated an assault in Europe.\u00a0<\/p>\n
In a recent development, Legit Security<\/a> today announced its discovery of an easy-to-exploit DoS vulnerability in markdown libraries used by GitHub, GitLab and other applications, using a popular markdown rendering service called commonmarker.<\/p>\n
\u201cImagine taking down GitHub for some time,\u201d said Liav Caspi, cofounder and CTO of the software supply chain security<\/a> platform. \u201cThis could be a major global disruption and shut down most software development shops. The impact would likely be unprecedented.\u201d<\/p>\n
<\/p>\n
\n
Event<\/h3>\n
\n
Intelligent Security Summit On-Demand<\/span><\/p>\n
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n

\n Watch Here <\/a>\n <\/p>\n<\/div>\n
<\/body><\/p>\n
GitHub, which did not respond to requests for comment by VentureBeat, has posted a formal acknowledgement and fix<\/a>.\u00a0<\/p>\n
Denial of service aim: Disruption<\/h2>\n
Both DoS<\/a> and DDoS overload a server or web app with an aim to interrupt services.\u00a0<\/p>\n
As Fortinet<\/a> describes it, DoS does this by flooding a server with traffic and making a website or resource unavailable; DDoS uses multiple computers or machines to flood a targeted resource.<\/p>\n
And, there\u2019s no question that they are on the rise \u2014 steeply, in fact. Cisco noted<\/a> a 776% year-over-year growth in attacks of 100 to 400 gigabits per second between 2018 and 2019. The company estimates that the total number of DDoS attacks will double from 7.9 million in 2018 to 15.4 million this year.\u00a0<\/p>\n
But although DDoS attacks aren\u2019t always intended to score sensitive data or hefty ransom payouts, they nonetheless are costly. Per Gartner<\/a> research, the average cost of IT downtime is $5,600 per minute. Depending on organization size, the cost of downtime can range from $140,000 to as much as $5 million per hour.<\/p>\n
And, with so many apps incorporating open-source code \u2014 a whopping 97% by one estimate<\/a> \u2014 organizations don\u2019t have full visibility of their security posture and potential gaps and vulnerabilities.\u00a0<\/p>\n
Indeed, open-source libraries are \u201cubiquitous\u201d in modern software development, said Caspi \u2014 so when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of the original vulnerable code. When a library becomes popular and widespread, a vulnerability could potentially enable an attack on countless projects.\u00a0<\/p>\n
\u201cThose attacks can include disruption of critical business services,\u201d said Caspi, \u201csuch as crippling the software supply chain and the ability to release new business applications.\u201d<\/p>\n
Vulnerability uncovered<\/h2>\n
As Caspi explained, markdown refers to creating formatted text using a plain text editor commonly found in software development tools and environments. A wide range of applications and projects implement these popular open-source markdown libraries, such as the popular variant found in\u00a0GitHub\u2019s implementation called\u00a0GitHub Flavored Markdown (GFM<\/a>). <\/p>\n
A copy of the vulnerable GFM implementation was found in commonmarker<\/a>, the popular Ruby package implementing markdown support. (This has more than 1 million dependent repositories<\/a>.) Coined \u201cMarkDownTime,\u201d this allows an attacker to deploy a simple DoS attack that would shut down digital business services by disrupting application development pipelines, said Caspi.\u00a0<\/p>\n
Legit Security researchers found that it was simple to trigger unbounded resource exhaustion leading to a DoS attack. Any product that can read and display markdown (*.md files) and uses a vulnerable library can be targeted, he explained.<\/p>\n
\u201cIn some cases, an attacker can continuously utilize this vulnerability to keep the service down until it is entirely blocked,\u201d said Caspi.\u00a0<\/p>\n
He explained that Legit Security\u2019s research team was looking into vulnerabilities in GitHub and GitLab as part of its ongoing software supply chain security research. They have disclosed the security issue to the commonmarker maintainer, as well as to both GitHub and GitLab.\u00a0<\/p>\n
\u201cAll of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use,\u201d said Caspi.\u00a0<\/p>\n
As such, \u201cprecaution and mitigation measures should be employed.\u201d<\/p>\n
Strong controls, visibility<\/h2>\n
To protect themselves against this vulnerability, organizations should upgrade to a safer version of the markdown library and upgrade any vulnerable product like GitLab to the newest version, Caspi advised.\u00a0<\/p>\n
And, generally speaking, when it comes to guarding against software supply chain attacks, organizations should have better security controls over the third-party software libraries they use. Protection also involves continuously checking for known vulnerabilities, then upgrading to safer versions.\u00a0<\/p>\n
Also, the reputation and popularity of open-source software should be considered \u2014 in particular, avoid unmaintained or low-reputable software. And, always keep SDLC systems like GitLab up to date and securely configured, said Caspi. <\/p>\n
VentureBeat’s mission<\/strong> is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.<\/a><\/p>\n<\/p><\/div>\n
Read More<\/a>
\n Taryn Plumb<\/p>\n","protected":false},"excerpt":{"rendered":"
Check out all the on-demand sessions from the Intelligent Security Summit here. Unlike breaches targeting sensitive data or ransomware attacks, denial of service (DoS) exploits aim to take down services and make them wholly inaccessible.\u00a0Several such attacks have occurred in recent memory; last June, for instance, Google blocked what at that point was the largest<\/p>\n","protected":false},"author":1,"featured_media":598666,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34501,22,46],"tags":[],"class_list":["post-598665","post","type-post","status-publish","format-standard","has-post-thumbnail","category-denial","category-service","category-technology"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/598665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=598665"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/598665\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/598666"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=598665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=598665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=598665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Event<\/h3>\n\nIntelligent Security Summit On-Demand<\/span><\/p>\nLearn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.<\/span><\/p>\n<\/div>\n