Cloudflare whacks WAF bypass bug that opened side door The Register

pCloudflare has fixed a flaw in its web application firewall WAF that allowed attackers to bypass security rules and directly access origin servers which could lead to data theft or full server takeoverppFearsOff security researchers reported the bug in October through Cloudflares bug bounty program and the CDN says it has patched the vulnerability in its ACME Automatic Certificate Management Environment validation logic with no action required from its customers ppACME is a protocol that certificate authorities and services like Cloudflare use to automate the issuance renewal and revocation of SSLTLS certificatesppIt uses challenges to prove domain ownership before issuing a security certificate and this is typically done via an HTTP01 challenge that checks for a validation token at the HTTP path following this format httpcustomer domainwellknownacmechallengetoken valueppIn its report the cyberthreat hunting firm likens a WAF to the front door and ACME to a hallway that should only be used by a certificate robot to verify domain ownership When configured correctly a WAF can help let expected validation traffic through while filtering out many malicious requests including automated botsppA certificate robots hallway should never become a side door the FearsOff researchers wroteppThe side door in this case was caused by a logic flaw in how Cloudflare processed some ACME challenge requests ppPreviously when Cloudflare was serving a HTTP01 challenge token if the path requested by the caller matched a token for an active challenge in our system the logic serving an ACME challenge token would disable WAF features since Cloudflare would be directly serving the response Cloudflare explained in a Monday blog ppThis is done because those features can interfere with the certificate authoritys ability to validate the token values and would cause failures with automated certificate orders and renewals it continuedppHowever the logic in this case failed to verify that the token in the request matched an active challenge for the hostname and this would allow an attacker to completely bypass the WAF security controls and reach the origin server ppCloudflare fixed the flaw on October 27 by pushing code that only allows the WAF features to be disabled if the request matches a valid ACME HTTP01 challenge token for the hostnameppWhile theres no evidence that miscreants found and abused the security hole before Cloudflare fixed the issue the bug hunters say that this type of WAF bypass becomes an even bigger threat to organizations in the face of AIdriven attacksppAutomated tools powered by machine learning can rapidly enumerate and exploit exposed paths like wellknownacmechallenge probing for frameworkspecific weaknesses or misconfigurations at scale FearsOff wrote in a Monday analysis For instance an AI model trained to identify servlet traversal quirks or PHP routing bugs could chain this bypass with targeted payloads turning a narrow maintenance path into a broad attack vector ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p