Attacker can bypass protective measures like WAF or DDoS protection through their own Cloudflare accounts.
Stefan Proksch, a security expert from Certitude, an IT consulting company in Vienna, recently discovered vulnerabilities in Cloudflare’s cross-tenant security measures. This could potentially enable attackers to circumvent protection mechanisms configured by Cloud provider customers, such as the Web Application Firewall (WAF) or DDoS protection. In his report, Proksch explained that attackers could use their own Cloudflare accounts to abuse the trust relationship between Cloudflare and their customers’ websites, rendering the protective mechanisms ineffective. This could happen inadvertently if users follow the provider’s official documentation, as they may activate mechanisms that malicious actors could exploit through the Cloudflare platform.
A specific issue arises when using Cloudflare’s “highly secure” mechanism called “Authenticated Origin Pulls” in conjunction with a Cloudflare certificate. Due to the shared certificate infrastructure, an attacker can bypass protective mechanisms by creating their own domain on Cloudflare and setting the DNS A record to the target system’s IP address. Proksch further explained that the attacker can then disable all protection features for this own domain in their tenant and tunnel their attacks through the Cloudflare infrastructure. The only way to defend against such attacks is to use custom certificates. However, this requires the customer to establish and manage their own certificate infrastructure. Configuring custom certificates is currently only possible through an API, which is why most customers are likely to use the easier-to-use Cloudflare certificates.
A similar issue occurs when customers use the “Allowlist Cloudflare IP addresses” mechanism at the network level, which Cloudflare rates as “moderately secure.” Although the customer’s server rejects connections that do not originate from Cloudflare’s IP address range, an attacker can, in a manner similar to the first issue described, route their attacks to the target system through the Cloudflare infrastructure. To address this problem, the use of Cloudflare Aegis is required to establish dedicated outbound IP addresses instead of the shared IP address range. However, it is unclear whether this service is available to all customers.
Proksch reported both issues to Cloudflare on March 16, 2023, through HackerOne. While the company acknowledged the vulnerabilities, they marked the reports as “informative” and closed them. It is unclear whether the provider intends to address these issues.