Cloudflare whacks WAF bypass bug that opened side door • The Register

Cloudflare has mounted a flaw in its internet software firewall (WAF) that allowed attackers to bypass safety guidelines and straight entry origin servers, which may result in information theft or full server takeover.

FearsOff safety researchers reported the bug in October by means of Cloudflare’s bug bounty program, and the CDN says it has patched the vulnerability in its ACME (Computerized Certificates Administration Atmosphere) validation logic with no motion required from its clients. 

ACME is a protocol that certificates authorities and providers like Cloudflare use to automate the issuance, renewal, and revocation of SSL/TLS certificates.

It makes use of challenges to show area possession earlier than issuing a safety certificates, and that is sometimes achieved through an HTTP-01 problem that checks for a validation token on the HTTP path following this format: http://{buyer area}/.well-known/acme-challenge/{token worth}.

In its report, the cyber-threat searching agency likens a WAF to the entrance door and ACME to a hallway that ought to solely be utilized by a certificates robotic to confirm area possession. When configured accurately, a WAF will help let anticipated validation visitors by means of whereas filtering out many malicious requests, together with automated bots.

“A certificates robotic’s hallway ought to by no means turn into a facet door,” the FearsOff researchers wrote.

The “facet door” on this case was brought on by a logic flaw in how Cloudflare processed some ACME problem requests. 

“Beforehand, when Cloudflare was serving a HTTP-01 problem token, if the trail requested by the caller matched a token for an lively problem in our system, the logic serving an ACME problem token would disable WAF options, since Cloudflare can be straight serving the response,” Cloudflare explained in a Monday weblog. 

“That is achieved as a result of these options can intervene with the [certificate authority’s] potential to validate the token values and would trigger failures with automated certificates orders and renewals,” it continued.

Nonetheless, the logic on this case didn’t confirm that the token within the request matched an lively problem for the hostname, and this could permit an attacker to utterly bypass the WAF safety controls and attain the origin server. 

Cloudflare mounted the flaw on October 27 by pushing code that solely permits the WAF options to be disabled if the request matches a legitimate ACME HTTP-01 problem token for the hostname.

Whereas there is not any proof that miscreants discovered and abused the safety gap earlier than Cloudflare mounted the problem, the bug hunters say that one of these WAF bypass turns into an excellent larger risk to organizations within the face of AI-driven attacks.

“Automated instruments powered by machine studying can quickly enumerate and exploit uncovered paths like /.well-known/acme-challenge/, probing for framework-specific weaknesses or misconfigurations at scale,” FearsOff wrote in a Monday evaluation. “As an example, an AI mannequin educated to determine servlet traversal quirks or PHP routing bugs may chain this bypass with focused payloads, turning a slender upkeep path right into a broad assault vector.” ®