Gaps in Cloudflare’s security controls allow users to bypass customer-configured protection mechanisms and target other users from the platform itself, technology consulting firm Certitude warns.
The issue, the company says, arises from the shared infrastructure that all Cloudflare tenants have access to, allowing malicious actors to abuse the trust customers place in the platform’s protections to target them via Cloudflare.
A major cybersecurity vendor offering web application firewall (WAF), bot management, and distributed denial-of-service (DDoS) protections, Cloudflare relies on a network of reverse-proxy servers to inspect all traffic headed to customers’ web servers for malicious activity.
According to Certitude, because traffic originating from Cloudflare’s own infrastructure is considered trusted by default, it is not passed through the configured reverse-proxy servers, as is traffic from other parties.
Because of that, the consulting firm says, an attacker registered with Cloudflare can target other users on the platform, essentially bypassing the platform’s protections.
One gap Certitude discovered is related to the ‘Authenticated Origin Pulls’ on Transport Layer mechanism, which relies on a Cloudflare SSL certificate for authentication.
When setting up the authentication mechanism to their web servers (origin servers), customers can opt for using a Cloudflare certificate or for using their own certificate.
However, because the available options are insufficiently documented, and because a custom certificate can only be used with an API, “it is reasonable to assume that customers will opt for the more convenient choice of using the Cloudflare certificate,” Certitude notes.
The use of a shared certificate means that all connections originating from Cloudflare are permitted, regardless of the tenant initiating them.
A similar gap was identified in the ‘Allowlist Cloudflare IP addresses’ on Network Layer mechanism, which blocks connections originating from outside Cloudflare’s IP ranges, but permits all connections from within Cloudflare’s infrastructure.
“An attacker can establish a custom domain with Cloudflare, direct the DNS A record to the victims IP address. Next, they disable all protection features for that custom domain and route their attack(s) through Cloudflare’s infrastructure, effectively bypassing the protection features that the victim has configured,” Certitude explains.
The consulting firm has published a proof-of-concept (PoC) demonstration of these issues and recommends the use of custom certificates for connection authentication and the use of Cloudflare Aegis to mitigate the gaps.
Certitude says it reported the issues through Cloudflare’s bug bounty program in March, and that its report was marked as ‘informative’ and closed without a fix. A Cloudflare spokesperson has yet to respond to SecurityWeek’s request for a statement.