Cloudflare DDoS protections ironically bypassed using Cloudflare

Subject : Cloudflare DDoS protections ironically bypassed using Cloudflare
Date : 30-09-2023

Information

  Cloudflare is a global network designed to ensure that everything connected to the Internet, including your assets, remains secure, performs efficiently, and is always available. Cloudflare acts as an intermediary between users and data-storing servers. Users come in various forms, such as visitors, crawlers & bots, and attackers, but when using Cloudflare, all types of access must go through Cloudflare's system instead. Cloudflare serves three main purposes:

1.Web Application Firewall (WAF): This component protects websites from web-based attacks through cloud security. The WAF automatically filters out malicious HTTP/HTTPS traffic, such as code injection, cross-site scripting, and sensitive data exposure.

2.Distributed Denial-of-Service (DDoS) Protection: DDoS attacks involve sending a massive amount of traffic to a website to disrupt its ability to function or render it unusable. Cloudflare steps in to absorb and mitigate these attacks on behalf of the website.

3.Content Delivery Network (CDN): A CDN distributes content to various servers, sending data from the server closest to the user. If there is high traffic, the system routes data through the nearest server. Cloudflare has multiple Points of Presence (POP) in Thailand, with over 200 POPs worldwide, enabling fast and reliable website performance.

Incident

  Cloudflare's Firewall and DDoS prevention can be bypassed through a specific attack process that leverages logic flaws in cross-tenant security controls.

  This bypass could put Cloudflare's customers under a heavy burden, rendering the protection systems of the internet firm less effective.

  To make matters worse, the only requirement for the attack is for the hackers to create a free Cloudflare account, which is used as part of the attack.

  However, it should be noted that the attackers must know a targeted web server's IP address to abuse these flaws.

Attacking Cloudflare using a Cloudflare account

  Certitude's researcher Stefan Proksch discovered that the source of the issue is Cloudflare's strategy to use shared infrastructure that accepts connections from all tenants.

Specifically, the analyst identified two vulnerabilities in the system impacting Cloudflare's "Authenticated Origin Pulls" and "Allowlist Cloudflare IP Addresses.“

  Authenticated Origin Pulls is a security feature provided by Cloudflare to ensure that HTTP(s) requests sent to an origin server come through Cloudflare and not from an attacker.

  When configuring this feature, customers can upload their certificates using an API or generate one through Cloudflare, the default and easiest method.

Once configured, Cloudflare uses the SSL/TLS certificate to authenticate any HTTP(S) requests between the service's reverse proxies and the customer's origin server, preventing unauthorized requests from accessing the website.

  However, as Proksch explains, attackers can bypass this protection as Cloudflare uses a shared certificate for all customers instead of a tenant-specific one, causing all connections originating from Cloudflare to be permitted.

 Cloudflare origin certificate installation

 

 An attacker can setup a custom domain with Cloudflare and point the DNS A record to victims IP address.

  The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure

 Exploiting shared Cloudflare certificates

 

 The problem

1.Attackers with a Cloudflare account can direct malicious traffic to other Cloudflare clients or route their attacks through the company's infrastructure.

2.Cloudflare's Allowlist Cloudflare IP addresses, a security measure that only allows traffic originating from Cloudflare's IP address range to reach clients' origin servers.

Mitigation

1.Use a custom certificate to configure the "Authenticated Origin Pulls" mechanism instead of Cloudflare's shared certificate.

2.Use Cloudflare Aegis (if available) to define a more specific egress IP address range dedicated to each client.

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

References

https://www.bleepingcomputer.com/news/security/cloudflare-ddos-protections-ironically-bypassed-using-cloudflare/

https://www.i-secure.co.th/2023/10/%e0%b8%9e%e0%b8%9a%e0%b8%8a%e0%b9%88%e0%b8%ad%e0%b8%87%e0%b9%82%e0%b8%ab%e0%b8%a7%e0%b9%88%e0%b9%83%e0%b8%99-cloudflare-ddos-protection-%e0%b8%97%e0%b8%b5%e0%b9%88%e0%b8%aa%e0%b8%b2%e0%b8%a1%e0%b8%b2/

https://nipa.cloud/th/blog/how-cloudflare-protect-your-business

 

 Weekly Interesting CVE

NO CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

 

CVSS
Severity Rating

Detail

Solution

Ref

1

CVE-2023-41993

21/09/2023

03/10/2023

Apple macOS

 

Remote Code Execution

 6

A vulnerability in the WebKit browser engine in Safari that allows hackers to circumvent authentication. By using malicious apps or running code through web pages designed to attack

Update versions of iOS before iOS 16.7

https://vuldb.com/?id.240168

2

CVE-2023-41992

21/09/2023

27/09/2023

Apple Watch Series 4

 

Local Privilege Escalation

 7.5

a vulnerability in the Kernel Framework. An attacker may be able to elevate their privileges.

Update versions of iOS

https://vuldb.com/?id.240165

3

CVE-2023-5187

26/09/2023

28/09/2023

Google Chrome

 

User-After-Free

 6

Use after free in Extensions in Google Chrome prior to 117.0.5938.132 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Update Versions

https://vuldb.com/?id.240817

4

CVE-2023-4129

03/08/2023

27/09/2023

Dell Data Protection Central

 

Inadequate encryption

 4.8

Dell Data Protection Central, version 19.9, contains an Inadequate Encryption Strength Vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, allowing an attacker to recover plaintext from a block of ciphertext.

no mitigation known

https://vuldb.com/?id.240519

5

CVE-2021-1299

20/01/2021

29/09/2023

Cisco SD-WAN

Command Injection

8.0

Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device. For more information about these vulnerabilities, see the Details section of this advisory.

Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license.

https://nvd.nist.gov/vuln/detail/CVE-2021-1299
And
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cmdinjm-9QMSmgcn

11 October 2023

Viewed 503 time

Engine by shopup.com