VTA-004467 – Hackers Exploit Cloudflare to Bypass Firewall and DDoS Protections
Recent findings by researchers have exposed a vulnerability that has the potential to enable attackers to circumvent specific security measures provided by Cloudflare. This vulnerability could render Cloudflare customers vulnerable to attacks that the platform is intended to safeguard against. Attackers who leverage their Cloudflare accounts to manipulate this trust relationship can take advantage of it, effectively nullifying the configured security measures and making them ineffectual. One of the affected mechanisms is “Authenticated Origin Pulls,” which is typically regarded as highly secure by Cloudflare. This approach relies on client SSL certificates to authenticate the connections between Cloudflare’s reverse proxy servers and the origin server. Attackers have the capability to establish a custom domain using Cloudflare and direct the DNS A record to the victim’s IP address. Following this, the attacker can disable all protection features specifically for that custom domain within their Cloudflare account and then route their attacks through Cloudflare’s infrastructure. This strategy effectively permits attackers to evade the security measures implemented by the victim.
Another affected mechanism is “Allowlist Cloudflare IP addresses,” which is considered to have a moderate level of security. It operates by denying connections that do not originate from within Cloudflare’s IP address ranges. Attackers can indeed create a custom domain using Cloudflare and set the DNS A record to point to the victim’s IP address. Subsequently, they have the capability to deactivate all security measures for that custom domain within their Cloudflare account. By doing so, they can channel their attacks through Cloudflare’s infrastructure, effectively circumventing the protection mechanisms that the victim has put in place.
Severity:
Medium
Attack Surfaces:
Cloud Service, Web Application
References:
https://certitude.consulting/blog/en/using-cloudflare-to-bypass-cloudflare/
SuperPRO’s Threat Countermeasures Procedures:
1. Review your origin-server protection strategy to ensure that your configured protections are reliably enforced.
2. Keep your origin servers up to date with the latest security patches.
3. Implement multi-factor authentication (MFA) on all of your accounts, including your Cloudflare account.
4. Monitor your website traffic for suspicious activity.
5. Use Cloudflare Aegis to enable dedicated egress IPs instead of shared IP ranges
6. Use custom certificates to establish a direct connection between the user’s browser and the organization’s origin server.
Contributed by: Varrumen