Cloudflare’s firewall and DDoS attack prevention mechanisms have been compromised due to logical vulnerabilities in the system.
Description
This is because Cloudflare uses shared infrastructure that accepts connections from all tenants [2], allowing attackers to exploit gaps in cross-tenant security controls [3]. By knowing the targeted web server’s IP address and having a free Cloudflare account [2], an attacker can set up a custom domain with Cloudflare [2], point the DNS A record to the victim’s IP address [2], and disable all protection features for that domain [2]. This enables the attacker to bypass the victim’s protection features and tunnel their attacks through Cloudflare.
Additionally, attackers can abuse the trust associated with Cloudflare’s shared infrastructure. One issue is the use of a shared Cloudflare certificate [1] [4] [5], which allows attackers with a Cloudflare account to send malicious payloads through the platform [4] [5]. Another problem involves the abuse of allowlisting Cloudflare IP addresses to transmit rogue inputs and target other users [1] [4] [5].
To address these issues [2], Cloudflare has acknowledged the findings and added a new warning in its documentation [1] [4] [5], recommending the use of custom certificates for Authenticated Origin Pulls and considering additional security measures for origin servers [4] [5].
Furthermore, researchers at Certitude have discovered that attackers can hijack subdomains belonging to over 1,000 organizations using “dangling” DNS records [1]. Additionally, adversaries are using dynamically seeded domain generation algorithms to avoid detection [1], as revealed by Akamai. Researchers have also demonstrated a DNS poisoning attack called MaginotDNS that exploits flaws in bailiwick checking algorithms [1].
Conclusion
This vulnerability in Cloudflare’s Firewall and DDoS prevention system undermines the effectiveness of its protection systems and puts its customers at risk. It is crucial for Cloudflare to address these logical vulnerabilities and strengthen its security measures to prevent further compromises. The findings from Certitude and other researchers highlight the need for continuous monitoring and improvement in DNS security to stay ahead of evolving attack techniques.
References
[1] https://thehackernews.com/2023/10/researcher-reveal-new-technique-to.html
[2] https://www.techradar.com/pro/security/cloudflare-security-protections-can-be-bypassed-in-a-surprisingly-simple-way
[3] https://cert.bournemouth.ac.uk/cloudflare-ddos-protections-ironically-bypassed-using-cloudflare/
[4] https://vulners.com/thn/THN:CC8B55B9D5B3C35207BFBDDAE5147744
[5] https://beker.uk/2023/10/03/researcher-reveals-new-techniques-to-bypass-cloudflares-firewall-and-ddos-protection/
