Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Keywords: Cloudflare, MITM, interception, compromise
DBSA ID: 2017-02241
Regarding: Multi-Website/Cloudflare Potential Compromise
Date: 2017 02 24
Last Modified: 20170224160750 by Kradorex Xeron
Who should take note: Everyone
Rationale: Users and web service operators must act to ensure their privacy and security is secured.
Rationale: Potential full information compromise
Spread of Issue: MULTI-PLATFORM HIGH
Rationale: According to sources, over 4 million websites impacted.
Cloudflare is a company that offers a reverse proxy service that allegedly protects websites from attacks including DDoS attacks, exploit and other such malicious activities. To perform this protection, users of websites connect to Cloudflare's servers which then processes the traffic before sending it on to the real location of the content. The manner in which their product is designed requires that website owners allow Cloudflare to decrypt encrypted traffic to process it, meaning that any and all traffic processed through Cloudflare servers is not fully secure.
Recently, an uninitialized memory vulnerability with Cloudflare's infrastructure was discovered. This vulnerability means that information such as private webpage content, private messages on websites, usernames, passwords, authentication tokens and other such information is left persistent on Cloudflare's servers and isn't reset to zero prior to a new request being serviced. This vulnerability permits a malicious party to read this persistent memory.
This means that a malicious request can be submitted to a Cloudflare server node and this persistent content being read over the network, resulting in significant information disclosure. This disclosure includes the unencrypted form of encrypted (SSL/TLS) data.
Users are advised to run rolling password changes on any website impacted at 1 week intervals for the next 30 days and to refrain from supplying personal information to a Cloudflare-protected web service.
Users may check websites that may be impacted using this self-serve tool: http://dev.digibase.ca/cfcheck/ and possibly peruse the "sites-using-cloudflare" list below for further information.
Website administrators are advised to re-evaluate their use of Cloudflare and to consider applying pressure to Cloudflare to offer a higher-security option where only DDoS conditions are detected and SSL/TLS interception is disabled.