Logic Flaws Let Attackers Bypass Cloudflare's Firewall and DDoS Protection
The effectiveness of Cloudflare’s Firewall and DDoS prevention has been proven to be compromised by an attack technique that takes the use of logical vulnerabilities in cross-tenant security policies.
This finding has sparked worries about possible vulnerabilities that could damage the security company’s clients.
The attack only requires the creation of a free Cloudflare account by the hackers, making it alarmingly accessible. However, to exploit these flaws, attackers must be aware of the IP address of a targeted web server.
The organization’s usage of open infrastructure, which accepts connections from all users, is the root cause of the current problem.
BleepingComputer ( Source )
In particular, the “Authenticated Origin Pulls” and “Allowlist Cloudflare IP Addresses” functionalities are vulnerable to two issues .
Cloudflare offers a security feature called “Authenticated Origin Pulls”. This ensures that HTTP(S) requests made to an origin server are coming from their clients and not possibly harmful requests from an attacker.
Customers can create their certificates through Cloudflare, which is the usual and simplest manner, or upload them over an API when establishing this service.
After the configuration is complete, the company uses the SSL/TLS certificate to validate any HTTP(S) requests made between its reverse proxies and the client’s origin server. This effectively guarding against unwanted access to the website.
However, because Cloudflare uses a generic certificate for all users rather than a tenant-specific one, there is a vulnerability that allows access to all connections coming from within the company.
An attacker can setup a custom domain with Cloudflare and point the DNS A record to the victims IP address. The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure. This approach allows attackers to bypass the protection features by the victim.
Certitude ( Source )
Due to this logical flaw, attackers with a Cloudflare account can send harmful traffic to other users or use the company’s infrastructure to carry out their attacks.
The “Allowlist Cloudflare IP Addresses” option is the subject of the second issue. This security precaution only allows traffic from the IP address range of the organization to access the origin servers of clients.
Once more, by registering a domain on Cloudflare and setting up their domain’s DNS A record to point to the IP address of the target victim’s server, attackers can take advantage of a logic error in this system.
They then turn off all security safeguards for the custom domain and route harmful traffic through the network. This traffic appears trustworthy from the victim’s perspective, and as a result, is given access.
You can use the following defense measures against these attacks:
Use a custom certificate to configure the “Authenticated Origin Pulls” mechanism instead of Cloudflare’s shared certificate.
Use Cloudflare Aegis (if available) to define a more specific egress IP address range dedicated to each client.
BleepingComputer ( Source )
On March 16, 2023, researchers who discovered the logical errors reported them to security company via HackerOne, but the company dismissed the issue as “informative.”