CarderPlanet
Professional
The attack method can make the company's security systems less effective.
Certitude specialists have identified gaps in the protection mechanisms against DDoS attacks and the Cloudflare firewall. To exploit vulnerabilities, an attacker just needs to create a free account on the Cloudflare platform, which allows you to bypass security systems by exploiting logical errors in inter-client security control mechanisms.
Problems arise due to Cloudflare's strategy of using a shared infrastructure that accepts connections from all tenants. Experts found two vulnerabilities affecting the functions Authenticated Origin Pulls and Allowlist Cloudflare IP Addresses.
The difference between the two attack methods is that the first vulnerability bypasses the security system by exploiting the request authentication mechanism, while the second vulnerability exploits the traffic resolution mechanism based on IP addresses.
Certitude also offered solutions to protect against such attacks, including using its own certificates to configure the Authenticated Origin Pulls mechanism, and using Cloudflare Aegis to define a more specific IP address range for each client. Cloudflare has not yet given any comments on possible plans to implement additional security mechanisms or warn customers about potentially risky configurations.
Certitude specialists have identified gaps in the protection mechanisms against DDoS attacks and the Cloudflare firewall. To exploit vulnerabilities, an attacker just needs to create a free account on the Cloudflare platform, which allows you to bypass security systems by exploiting logical errors in inter-client security control mechanisms.
Problems arise due to Cloudflare's strategy of using a shared infrastructure that accepts connections from all tenants. Experts found two vulnerabilities affecting the functions Authenticated Origin Pulls and Allowlist Cloudflare IP Addresses.
- Authenticated Origin Pulls. The vulnerability is related to how Cloudflare verifies that HTTP (S) requests to the client's source server pass through the Cloudflare network, and not directly from an attacker. The problem is using a common SSL/TLS certificate for all clients instead of unique certificates for each client. This mechanism allows an attacker to create their own domain in Cloudflare, set up a DNS record for the victim's IP address, and redirect requests to the victim's server via Cloudflare, which makes the attacks less visible to the security system.
- Allowlist Cloudflare IP Addresses. The vulnerability is related to a mechanism that allows traffic to client servers only from Cloudflare IP addresses. An attacker can bypass this control by creating a domain in Cloudflare, specifying DNS record A to the victim's IP address, and disabling all security features for this domain. This allows the attacker to route malicious traffic through the Cloudflare infrastructure, and since the traffic originates from Cloudflare IP addresses, it will be accepted as legitimate by the victim's system.
The difference between the two attack methods is that the first vulnerability bypasses the security system by exploiting the request authentication mechanism, while the second vulnerability exploits the traffic resolution mechanism based on IP addresses.
Certitude also offered solutions to protect against such attacks, including using its own certificates to configure the Authenticated Origin Pulls mechanism, and using Cloudflare Aegis to define a more specific IP address range for each client. Cloudflare has not yet given any comments on possible plans to implement additional security mechanisms or warn customers about potentially risky configurations.
