Cloudflare security protections can be bypassed in a surprisingly simple way
Cloudflare’s Firewall and DDoS prevention tools contain two concerning vulnerabilities that could allow threat actors to send malicious traffic their way, or use their servers to direct malicious traffic elsewhere, experts claim.
According to Certitude’s researcher Stefan Proksch, the vulnerabilities can be found in Cloudflare’s Authenticated Origin Pulls and the Allowlist Cloudflare IP addresses.
The first is a security tool that ensures that HTTPS requests sent to an origin server come through Cloudflare, and not from a third party. Cloudflare’s Allowlist Cloudflare IP Addresses, on the other hand, is a security feature that ensures that only traffic originating from Cloudflare’s IP addresses reaches the customer’s origin servers.
Logical errors
The vulnerabilities exploit logical flaws in security controls between tenants, made possible by the fact that Cloudflare uses a shared infrastructure that accepts connections from all tenants. To exploit the vulnerabilities, a threat actor only needs knowledge of the IP address of the targeted web server and a free Cloudflare attack. As the researcher explained, when configuring the Authenticated Origin Pulls feature, users generate a certificate through Cloudflare by default. Alternatively, they can upload their own using an API.
Now that Cloudflare uses a shared certificate for all customers, any connections originating from Cloudflare are fair game: “An attacker can set up a custom domain with Cloudflare and point the DNS A record to the victim’s IP address,” Proksch said . βThe attacker then disables all security features for that custom domain in their tenant and tunnels their attack(s) through the Cloudflare infrastructure.β
“This approach allows attackers to bypass the victim’s security features.”
To resolve this issue, users must use custom certificates.
Regarding the Allowlist Cloudflare IP Addresses tool, if an attacker creates a Cloudflare account and points his domain’s DNS A record to the victim server’s IP address and disables all security features for the custom domain, he can send malicious traffic through the run Cloudflare’s infrastructure. From the victim’s side, this traffic will be considered legitimate.
To define a more specific range of aggressive IP addresses specifically for different customers, users should use Cloudflare Aegis, the researcher suggests.
Through BleepingComputer