Cloudflare’s Firewall and DDoS prevention tools carry two worrying vulnerabilities that allow threat actors to send malicious traffic their way, or use their servers to reroute malicious traffic elsewhere, experts have claimed.
According to Certitude’s researcher Stefan Proksch, the vulnerabilities can be found in Cloudflare’s Authenticated Origin Pulls, and Allowlist Cloudflare IP Addresses.
The former is a security tool that makes sure HTTPS requests sent to an origin server come through Cloudflare, and not from a third party. Cloudflare’s Allowlist Cloudflare IP Addresses, on the other hand, is a security feature that makes sure only the traffic coming from Cloudflare’s IP addresses reaches the clients’ origin servers.
Logic flaws
The vulnerabilities leverage logic flaws in cross-tenant security controls, made possible by the fact that Cloudflare uses shared infrastructure accepting connections from all tenants. To abuse the flaws, all a threat actor needs is knowledge of the targeted web server’s IP address, and a free Cloudflare attack. As the researcher explained, when configuring the Authenticated Origin Pulls feature, users generate a certificate through Cloudflare, by default. Alternatively, they can upload their own using an API.
Now, given that Cloudflare uses a shared certificate for all customers, all connections originating from Cloudflare are fair game: “An attacker can set up a custom domain with Cloudflare and point the DNS A record to victims IP address,” Proksch said. “The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure.”
“This approach allows attackers to bypass the protection features by the victim.”
To mitigate this issue, users should use custom certificates.
As for the Allowlist Cloudflare IP Addresses tool, if an attacker creates a Cloudflare account and points their domain’s DNS A record to the victim server’s IP address, and turn off all protection features for the custom domain, they can route malicious traffic through Cloudflare’s infrastructure. From the victim’s side, this traffic will be seen as legitimate.
To define a more specific agress IP address range, dedicated to different clients, users should use Cloudflare Aegis, the researcher suggests.
Via BleepingComputer