CVE-2024-38537
Published: 02 July 2024
Summary
CVE-2024-38537 is a uncategorised-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Ethyca Fides. Its CVSS base score is 0.0.
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Fides is an open-source privacy engineering platform whose client-side consent script fides.js contained a dependency on the polyfill.io domain. The script loaded resources from that domain only in a narrow edge case when a legacy browser such as IE11 lacking native fetch support was detected, introducing an inclusion of functionality from an untrusted control sphere (CWE-829).
An attacker who had already compromised polyfill.io could therefore serve malicious JavaScript to any visitor using one of those pre-2017 browsers on a page that included fides.js, resulting in arbitrary code execution within the victim’s browser context. No evidence of such exploitation against fides.js has been observed.
The issue was corrected in Fides 2.39.1. On 27 June 2024 Cloudflare and Namecheap blocked resolution of polyfill.io and its subdomains, eliminating the attack surface for all clients regardless of browser version. Prior to that intervention the only reliable client-side mitigation was use of a modern browser that implements the fetch standard.
The associated EPSS score reached a peak of 0.2223 with no subsequent material increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2328
Vulnerability details
Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11…
more
that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability causes fides.js to dynamically load and execute JavaScript from the compromised polyfill.io domain in legacy browsers, enabling adversaries to leverage JavaScript for execution (T1059.007), perform drive-by compromises (T1189), and distribute payloads via compromised software supply chain (T1195.002).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.
Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.
Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.
Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.
Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.