Subject : Cloudflare DDoS protections ironically bypassed using Cloudflare
Date : 30-09-2023
Information
Cloudflare is a global network designed to ensure that everything connected to the Internet, including your assets, remains secure, performs efficiently, and is always available. Cloudflare acts as an intermediary between users and data-storing servers. Users come in various forms, such as visitors, crawlers & bots, and attackers, but when using Cloudflare, all types of access must go through Cloudflare's system instead. Cloudflare serves three main purposes:
1.Web Application Firewall (WAF): This component protects websites from web-based attacks through cloud security. The WAF automatically filters out malicious HTTP/HTTPS traffic, such as code injection, cross-site scripting, and sensitive data exposure.
2.Distributed Denial-of-Service (DDoS) Protection: DDoS attacks involve sending a massive amount of traffic to a website to disrupt its ability to function or render it unusable. Cloudflare steps in to absorb and mitigate these attacks on behalf of the website.
3.Content Delivery Network (CDN): A CDN distributes content to various servers, sending data from the server closest to the user. If there is high traffic, the system routes data through the nearest server. Cloudflare has multiple Points of Presence (POP) in Thailand, with over 200 POPs worldwide, enabling fast and reliable website performance.
Incident
Cloudflare's Firewall and DDoS prevention can be bypassed through a specific attack process that leverages logic flaws in cross-tenant security controls.
This bypass could put Cloudflare's customers under a heavy burden, rendering the protection systems of the internet firm less effective.
To make matters worse, the only requirement for the attack is for the hackers to create a free Cloudflare account, which is used as part of the attack.
However, it should be noted that the attackers must know a targeted web server's IP address to abuse these flaws.
Attacking Cloudflare using a Cloudflare account
Certitude's researcher Stefan Proksch discovered that the source of the issue is Cloudflare's strategy to use shared infrastructure that accepts connections from all tenants.
Specifically, the analyst identified two vulnerabilities in the system impacting Cloudflare's "Authenticated Origin Pulls" and "Allowlist Cloudflare IP Addresses.“
Authenticated Origin Pulls is a security feature provided by Cloudflare to ensure that HTTP(s) requests sent to an origin server come through Cloudflare and not from an attacker.
When configuring this feature, customers can upload their certificates using an API or generate one through Cloudflare, the default and easiest method.
Once configured, Cloudflare uses the SSL/TLS certificate to authenticate any HTTP(S) requests between the service's reverse proxies and the customer's origin server, preventing unauthorized requests from accessing the website.
However, as Proksch explains, attackers can bypass this protection as Cloudflare uses a shared certificate for all customers instead of a tenant-specific one, causing all connections originating from Cloudflare to be permitted.
Cloudflare origin certificate installation
An attacker can setup a custom domain with Cloudflare and point the DNS A record to victims IP address.
The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure
Exploiting shared Cloudflare certificates
The problem
1.Attackers with a Cloudflare account can direct malicious traffic to other Cloudflare clients or route their attacks through the company's infrastructure.
2.Cloudflare's Allowlist Cloudflare IP addresses, a security measure that only allows traffic originating from Cloudflare's IP address range to reach clients' origin servers.
Mitigation
1.Use a custom certificate to configure the "Authenticated Origin Pulls" mechanism instead of Cloudflare's shared certificate.
2.Use Cloudflare Aegis (if available) to define a more specific egress IP address range dedicated to each client.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
References
–https://nipa.cloud/th/blog/how-cloudflare-protect-your-business
Weekly Interesting CVE
NO | CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Ref |
---|---|---|---|---|---|---|---|---|---|
1 |
CVE-2023-41993 |
21/09/2023 |
03/10/2023 |
Apple macOS |
Remote Code Execution |
6 |
A vulnerability in the WebKit browser engine in Safari that allows hackers to circumvent authentication. By using malicious apps or running code through web pages designed to attack |
Update versions of iOS before iOS 16.7 |
|
2 |
CVE-2023-41992 |
21/09/2023 |
27/09/2023 |
Apple Watch Series 4 |
Local Privilege Escalation |
7.5 |
a vulnerability in the Kernel Framework. An attacker may be able to elevate their privileges. |
Update versions of iOS |
|
3 |
CVE-2023-5187 |
26/09/2023 |
28/09/2023 |
Google Chrome |
User-After-Free |
6 |
Use after free in Extensions in Google Chrome prior to 117.0.5938.132 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
Update Versions | |
4 |
CVE-2023-4129 |
03/08/2023 |
27/09/2023 |
Dell Data Protection Central |
Inadequate encryption |
4.8 |
Dell Data Protection Central, version 19.9, contains an Inadequate Encryption Strength Vulnerability. An unauthenticated network attacker could potentially exploit this vulnerability, allowing an attacker to recover plaintext from a block of ciphertext. |
no mitigation known |
|
5 |
CVE-2021-1299 |
20/01/2021 |
29/09/2023 |
Cisco SD-WAN |
Command Injection |
8.0 |
Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device. For more information about these vulnerabilities, see the Details section of this advisory. |
Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. |
https://nvd.nist.gov/vuln/detail/CVE-2021-1299 |
11 October 2023
Viewed 503 time