Cloudflare security protections can be bypassed in a surprisingly simple way

News
By Sead Fadilpašić
published

All you need is a free Cloudflare account and the victim server's IP address

Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
(Image credit: Shutterstock/Sharaf Maksumov)

Cloudflare’s Firewall and DDoS prevention tools carry two worrying vulnerabilities that allow threat actors to send malicious traffic their way, or use their servers to reroute malicious traffic elsewhere, experts have claimed.

According to Certitude’s researcher Stefan Proksch, the vulnerabilities can be found in Cloudflare’s Authenticated Origin Pulls, and Allowlist Cloudflare IP Addresses. 

The former is a security tool that makes sure HTTPS requests sent to an origin server come through Cloudflare, and not from a third party. Cloudflare's Allowlist Cloudflare IP Addresses, on the other hand, is a security feature that makes sure only the traffic coming from Cloudflare’s IP addresses reaches the clients’ origin servers.

Logic flaws

The vulnerabilities leverage logic flaws in cross-tenant security controls, made possible by the fact that Cloudflare uses shared infrastructure accepting connections from all tenants. To abuse the flaws, all a threat actor needs is knowledge of the targeted web server’s IP address, and a free Cloudflare attack. As the researcher explained, when configuring the Authenticated Origin Pulls feature, users generate a certificate through Cloudflare, by default. Alternatively, they can upload their own using an API. 

Now, given that Cloudflare uses a shared certificate for all customers, all connections originating from Cloudflare are fair game: "An attacker can set up a custom domain with Cloudflare and point the DNS A record to victims IP address,"  Proksch said. "The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure."

"This approach allows attackers to bypass the protection features by the victim."

To mitigate this issue, users should use custom certificates. 

As for the Allowlist Cloudflare IP Addresses tool, if an attacker creates a Cloudflare account and points their domain’s DNS A record to the victim server’s IP address, and turn off all protection features for the custom domain, they can route malicious traffic through Cloudflare’s infrastructure. From the victim’s side, this traffic will be seen as legitimate. 

To define a more specific agress IP address range, dedicated to different clients, users should use Cloudflare Aegis, the researcher suggests.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.