Cloudflare’s Security Protections Vulnerabilities

Researchers have identified two vulnerabilities in Cloudflare’s security tools that could potentially allow threat actors to send malicious traffic or reroute it through Cloudflare’s servers. These vulnerabilities are related to Cloudflare’s Authenticated Origin Pulls and Allowlist Cloudflare IP Addresses.

Vulnerabilities in Authenticated Origin Pulls and Allowlist Cloudflare IP Addresses

  • Authenticated Origin Pulls: This security tool ensures that HTTPS requests sent to an origin server come through Cloudflare rather than from a third party.
  • Allowlist Cloudflare IP Addresses: This feature ensures that only traffic originating from Cloudflare’s IP addresses reaches clients’ origin servers.

Exploiting Logic Flaws in Cross-Tenant Security Controls

The vulnerabilities arise from logic flaws in cross-tenant security controls. Cloudflare uses shared infrastructure that accepts connections from all tenants, which makes it possible for attackers to exploit these vulnerabilities. To do so, an attacker only needs to know the targeted web server’s IP address and have access to a free Cloudflare account.

For Authenticated Origin Pulls, an attacker can set up a custom domain with Cloudflare and point the DNS A record to the victim’s IP address. They can then disable all protection features for that custom domain in their Cloudflare account and route their attacks through Cloudflare’s infrastructure. This approach allows attackers to bypass the victim’s protection features.

To mitigate this issue, users should use custom certificates. As for the Allowlist Cloudflare IP Addresses tool, attackers can create a Cloudflare account, point their domain’s DNS A record to the victim’s server’s IP address, and turn off all protection features for the custom domain. This allows them to route malicious traffic through Cloudflare’s infrastructure, appearing as legitimate traffic from the victim’s perspective.

The researcher suggests using Cloudflare Aegis to define a more specific aggressive IP address range dedicated to different clients to address this issue.