Stefan Proksch, a security expert from Certitude, an IT consulting company in Vienna, recently discovered vulnerabilities in Cloudflare’s cross-tenant security measures. This could potentially enable attackers to circumvent protection mechanisms configured by Cloud provider customers, such as the Web Application Firewall (WAF) or DDoS protection. In his report, Proksch explained that attackers could use their own Cloudflare accounts to abuse the trust relationship between Cloudflare and their customers’ websites, rendering the protective mechanisms ineffective. This could happen inadvertently if users follow the provider’s official documentation, as they may activate mechanisms that malicious actors could exploit through the Cloudflare platform.

A specific issue arises when using Cloudflare’s “highly secure” mechanism called “Authenticated Origin Pulls” in conjunction with a Cloudflare certificate. Due to the shared certificate infrastructure, an attacker can bypass protective mechanisms by creating their own domain on Cloudflare and setting the DNS A record to the target system’s IP address. Proksch further explained that the attacker can then disable all protection features for this own domain in their tenant and tunnel their attacks through the Cloudflare infrastructure. The only way to defend against such attacks is to use custom certificates. However, this requires the customer to establish and manage their own certificate infrastructure. Configuring custom certificates is currently only possible through an API, which is why most customers are likely to use the easier-to-use Cloudflare certificates.

A similar issue occurs when customers use the “Allowlist Cloudflare IP addresses” mechanism at the network level, which Cloudflare rates as “moderately secure.” Although the customer’s server rejects connections that do not originate from Cloudflare’s IP address range, an attacker can, in a manner similar to the first issue described, route their attacks to the target system through the Cloudflare infrastructure. To address this problem, the use of Cloudflare Aegis is required to establish dedicated outbound IP addresses instead of the shared IP address range. However, it is unclear whether this service is available to all customers.

Proksch reported both issues to Cloudflare on March 16, 2023, through HackerOne. While the company acknowledged the vulnerabilities, they marked the reports as “informative” and closed them. It is unclear whether the provider intends to address these issues.

Microsoft’s Swift Response: June Patch Release

Microsoft promptly responded to this threat by releasing a patch in June. At that time, the company stated that an attacker could exploit the vulnerability using fake JWT authentication tokens to execute a network attack, bypass authentication, and gain access to the privileges of an authenticated user. Importantly, this exploitation does not require any special privileges or actions from the targeted user.

Part of a Sophisticated Exploit Chain

This week, a security researcher from Star Labs published a technical analysis describing how he successfully exploited CVE-2023-29357 in combination with another critical security vulnerability, CVE-2023-24955, during the Pwn2Own competition in March 2023 in Vancouver. His sophisticated approach allowed him to execute custom code on a SharePoint server remotely, earning him a $100,000 prize for the discovery.

GitHub Discovery and Potential Exploits

Surprisingly, just one day after the publication of this analysis, a proof-of-concept exploit for CVE-2023-29357 appeared on GitHub. While this exploit alone does not enable remote code execution (RCE) since it does not cover the entire exploit chain demonstrated by the Star Labs researcher, attackers could potentially combine it with CVE-2023-24955 to restore full functionality.

The repository’s description clarifies that the script does not contain RCE functions and is intended solely for educational and legitimate testing purposes.

Urgent Call to Action: Apply Microsoft’s Patches

Administrators are strongly advised to apply the patches provided by Microsoft if they have not done so already. A security update for CVE-2023-24955 has been available since May. Now that technical details for exploiting both vulnerabilities are publicly known, it is only a matter of time before attackers replicate the entire exploit chain and deploy it on a large scale. Your swift action is crucial to protect your systems.

CVE-2023-22515: A critical privilege escalation vulnerability

The vulnerability, now identified as CVE-2023-22515, has been rated by Atlassian with a severity score of 10.0 (critical). Despite its severity, Atlassian has not yet released detailed information about this vulnerability. However, reports suggest that it affects publicly accessible Confluence data centers and servers, enabling threat actors to create unauthorized administrator accounts and gain access to Confluence instances.

According to Atlassian’s security advisory, “instances on the public internet are particularly vulnerable, as this vulnerability is anonymously exploitable.”

Protecting your systems: Mitigation measures and threat detection

Atlassian has promptly recommended several steps to mitigate this critical issue. Users are advised to restrict access to the /setup/* endpoints on Confluence instances by following these instructions:

1. Modify the file /<confluence-install-dir>/confluence/WEB-INF/web.xml and insert the following code block (directly before the </web-app> tag at the end of the file):

xmlCopy code

<security-constraint> <web-resource-collection> <url-pattern>/setup/*</url-pattern> <http-method-omission>*</http-method-omission> </web-resource-collection> <auth-constraint /> </security-constraint>

2. Restart Confluence.

Regarding threat detection, Atlassian advises users to check all affected Confluence instances for signs of compromise, including:

• Unexpected members in the confluence-administrators group
• Unexpectedly created user accounts
• Requests to /setup/*.action in network access logs
• The presence of /setup/setupadministrator.action in an exception message in the Atlassian-confluence-security.log file in the Confluence home directory.

For further details and updates, you can view Atlassian’s security advisory [here](insert the link). Stay vigilant and take necessary actions to protect your Confluence environment.

This security flaw has been categorized as a Cross-Site Scripting (XSS) vulnerability, which allows malicious actors to execute arbitrary JavaScript code within a Word document. This XSS vulnerability affects various Office products, including Microsoft Word, and revolves around a feature that permits users to embed external videos in documents through the “Online Videos” tab.

When a user attempts to play an external video embedded within a document, Office conducts a check to ascertain the trustworthiness of the video’s source. This evaluation involves the application of a regular expression to the video’s URL, which includes well-known sources like YouTube. If the source is considered reliable, Office requests data such as the video’s title or thumbnail. However, the vulnerability arises from how Office manages the video’s title within the HTML iframe tag.

The server responds with information, including the video’s title, description, and the HTML iframe tag. The problem arises when the server incorporates the video’s title into the “title” attribute of the iframe tag without proper validation. This oversight allows attackers to manipulate the iframe tag by introducing an “unload” attribute, thereby enabling them to inject arbitrary JavaScript code.

Exploiting this vulnerability involves several steps. Attackers create a YouTube video with a title containing a payload designed to insert the “onload” attribute. They then insert the URL of this malicious video into a Word document using the Online Videos tab. When the video is played, the injected JavaScript code is executed.

The consequences of this vulnerability are significant. Attackers can execute arbitrary JavaScript code when a video embedded in a Word document is played. While this may not appear immediately alarming, it’s essential to note that past critical exploits in Office applications often began with the execution of arbitrary JavaScript. If combined with a new vulnerable Uniform Resource Identifier (URI), exploiting this vulnerability could potentially lead to a critical Remote Code Execution (RCE) vulnerability.

This underscores the urgency for Microsoft to address and patch this issue promptly. The Microsoft Office XSS flaw emphasizes the importance of maintaining up-to-date software and exercising caution when dealing with content embedded in documents. Users should be vigilant about potential security risks associated with video content, particularly when it originates from untrusted sources.