Recent findings have unveiled vulnerabilities within Cloudflare’s security infrastructure, shedding light on potential Distributed Denial of Service (DDoS) exploits. These vulnerabilities, rooted in shared certificates and logic flaws, have raised concerns regarding the effectiveness of Cloudflare’s protective measures. These issues include weaknesses in the “Authenticated Origin Pulls” feature, which could allow attackers to bypass security controls by exploiting shared certificates.
Additionally, the “Allowlist Cloudflare IP Addresses” feature faces logic flaws, potentially permitting malicious traffic to masquerade as trusted. Vigilance and enhanced security measures are urged for organizations relying on Cloudflare’s services to safeguard their online assets.
Vulnerability 1: Authenticated Origin Pulls
The “Authenticated Origin Pulls” function of Cloudflare is one of the flaws that it has. To safeguard against possible attackers, this functionality makes sure that all HTTP(s) requests sent to an origin server travel via Cloudflare. But because Cloudflare uses a single certificate for all clients rather than tenant-specific certificates, there is a serious problem.
By creating a custom domain using Cloudflare, pointing DNS A records to the victim’s IP address, and turning off protective mechanisms for this custom domain within their own tenant, attackers are able to get around the defenses.
Exploiting Shared Certificates
In order to get around security measures, attackers can use this vulnerability to launch attacks that look to come from Cloudflare. It is advised to utilize custom certificates rather than Cloudflare’s shared certificates when configuring the “Authenticated Origin Pulls” functionality in order to minimize this problem.
Vulnerability 2: Allowlist Cloudflare IP Addresses
The second flaw affects Cloudflare’s “Allowlist Cloudflare IP Addresses” function, which restricts access to customers’ origin servers to just traffic from Cloudflare’s IP address range. Here, attackers might take advantage of a hole in logic by registering a domain with Cloudflare, referring the domain’s DNS A record to the IP address of the victim’s server, turning off security measures, and rerouting malicious traffic over Cloudflare’s network.
Bypassing Security Controls
Because their traffic seems to be trustworthy to the victim, this strategy enables attackers to get around security measures. It is advised to use Cloudflare Aegis (if available) to provide a more precise egress IP address range devoted to each client in order to resolve this issue.
Reporting and the Response from Cloudflare
These logical errors were identified by researchers in March 2023 and submitted to Cloudflare via HackerOne. Cloudflare described the problem as “informative,” which raised questions about the necessity for extra security measures or warnings to customers with potentially risky setups. Cloudflare has not yet responded to any questions about these issues.
Conclusion
These security vulnerabilities within Cloudflare’s security infrastructure serve as a reminder of the need of rigorous security audits and the use of customized certificates to better defend against DDoS assaults and other security risks. To protect their online assets, companies using Cloudflare’s services should exercise caution and think about taking additional security precautions.