Cloudflare is a global technology company specializing in providing security services and online tools to maximize the performance and reliability of websites. Among the products made available to customers is a system for protection against attacks DDoS (Distributed Denial of Services), a bot management mechanism and a Web Application Firewall (WAF).
Il Web Application Firewall is a type of firewall designed specifically to protect web applications from various threats and cyber attacks. It works by analyzing HTTP traffic between users and web applications, to identify and mitigate potential security vulnerabilities and attacks. A WAF operates at the application layer, identifying and blocking suspicious or malicious activity before it can reach the application.
Stefan Proksch and Florian Schweitzer explain that they have detected a “gap” in terms of security that can be exploited to evade protections set Cloudflare side. In reality, it is a topic that was already known in the past but the two researchers have the merit of having brought it to the surface with a precise description, sent first – privately – to Cloudflare in March 2023. They are talking about it publicly today after having spend the canonical 180 days.
Cloudflare systems may be used to bypass restrictions imposed by other customers by still using Cloudflare
Proksch and Schweitzer explain that i protection mechanisms configured by the Cloudflare customer (e.g. firewall, DDoS prevention,…) for websites can be bypassed due to the lack of some controls between tenant. The term tenant refers to users or customers who use Cloudflare services for the protection of their websites or online applications. A tenant it can be an organization, a company or an individual user who has registered an account with Cloudflare to benefit from its web security and optimization services.
An attacker could use their Cloudflare accounts to abuse the relationship of trust implicitly granted to the systems that make up the infrastructure of the US company. In fact, therefore, it becomes theoretically possible bypass Cloudflare restrictions just using a Cloudflare account, even a free one.
Firewall protections and anti-DDoS defenses do not apply to Cloudflare infrastructure systems
Cloudflare outlines various mechanisms for “prevent attackers from discovering and overloading the server” with a high volume of requests (DoS and DDoS attacks). Traffic from Cloudflare, however, is always considered reliable and according to the researchers this aspect is not highlighted in the documentation. “We have found that attackers can abuse trust (…) by sending malicious payloads via the Cloudflare platform, bypassing various protection mechanisms (for example, the Web Application Firewall) that a customer may have configured for their environment. The actual impact of this bypass depends on the customer’s origin server configuration“, the two researchers point out.
Specifically, the researchers illustrate two protection systems offered by Cloudflare that can be exploited by attackers to evade the platform’s defenses:
- Authenticated Origin Pulls: Considered “very secure” in Cloudflare documentation, this mechanism authenticates connections between reverse proxy Cloudflare and your origin servers using a SSL certificate. The use of shared certificate from Cloudflare, rather than a custom certificate for the individual tenantallows an attacker to send malicious payloads through Cloudflare’s infrastructure, bypassing set security measures.
- Allowlist Cloudflare IP addresses: Rated “moderately secure,” this scheme prevents connections from IP addresses outside of Cloudflare. However, analysis shows that an attacker can create a custom domain on Cloudflare, direct traffic to the victim’s IP and, disabling all security features for that custom domain, route its attack through the Cloudflare infrastructure, thus evading the defenses configured by the victim.
How to avoid possible attacks
The problem with using the scheme “Authenticated Origin Pulls” on Cloudflare, as described in the analysis of the two researchers, can be solved or otherwise mitigated using personalized certificates. The use of certificati SSL/TLS specific to the Web applications and domains to be protected ensures that connections are authenticated for the individual tenant and do not allow all Cloudflare users to authenticate to the origin server.
In the case of the “Allowlist Cloudflare IP addresses“, instead, the use of Cloudflare Aegis it is rated as the best solution to mitigate the problem. The Aegis service delivers Dedicated egress IP addresses and does not use the shared IP address range.
What Cloudflare should do, according to researchers
As part of his program bug bounty, Cloudflare considered the report received to be of a purely informative nature. It therefore deemed it appropriate to close the case without proceeding with further action.
The researchers, however, insist that Cloudflare address the problem described in their analysis. Reference is made to the need to implement additional protection mechanisms to avoid the bypassing of the restrictions set; to warn customers who use weak or vulnerable configurations; improve documentation to make customers aware of the risks associated with certain configurations and best practices to avoid possible attacks.
Cloudflare may also explore alternative authentication options for i tenantso that authentication is not based solely on whether a request comes from the Cloudflare platform, but rather on more granular authentications specific to each user.
Opening image credit: iStock.com/Jian Fan