DBSA:2017-02241

From Digibase Knowledge Base
Revision as of 03:53, 24 February 2017 by Kradorex Xeron (talk | contribs) (Created page with "{{DBSAHEAD | TITLE=Multi-Website/Cloudflare Potential Compromise | KEYWORDS=Cloudflare, MITM, interception, compromise }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Multi-...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Multi-Website/Cloudflare Potential Compromise

Keywords: Cloudflare, MITM, interception, compromise

DBSA ID: 2017-02241

Regarding: Multi-Website/Cloudflare Potential Compromise

Writeup: Kradorex Xeron (talk) 02:53, 24 February 2017 (EST)

Date: 2017 02 24

Last Modified: 20170224035332 by Kradorex Xeron

Who should take note: Everyone

Classification

Priority: HIGH

Rationale: Users and website operators must act to ensure their privacy and security is secured.

Severity: HIGH

Rationale: Potential full information compromise

Spread of Issue: MULTI-PLATFORM HIGH

Rationale: According to sources, over 4 million websites impacted.

Description

Cloudflare is a company that offers a reverse proxy service that allegedly protects websites from attacks including DDoS attacks, exploit and other such malicious activities. To perform this protection, users of websites connect to Cloudflare's servers which then processes the traffic before sending it on. The manner in which their product is designed requires that website owners allow Cloudflare to decrypt encrypted traffic to process it, meaning that any and all traffic processed through Cloudflare servers is not fully secure.

Recently, an uninitialized memory vulnerability with Cloudflare's infrastructure was discovered. This vulnerability means that information such as private webpage content, private messages on websites, usernames, passwords and other such information is left persistent on Cloudflare's servers and isn't reset to zero prior to a new request being serviced. This vulnerability permits a malicious party to read this persistent memory.

This means that a malicious request can be submitted to a Cloudflare server node and this persistent content being read over the network, resulting in significant information disclosure.

Mitigation/Solution

Users are advised to run rolling password changes on any website impacted at 1 week intervals for the next 30 days.

Users may check websites that may be impacted using this self-serve tool: http://dev.digibase.ca/cfcheck/ and possibly peruse the "sites-using-cloudflare" list below for further information.

Website administrators are advised to re-evaluate their use of Cloudflare and potentially apply pressure to Cloudflare to offer a higher-security option where only DDoS conditions are detected and SSL/TLS interception is disabled.

References