Cloudflare security protections can be bypassed in a surprisingly simple way
Cloudflare’s Firewall and DDoS prevention tools carry two worrying vulnerabilities that allow threat actors to send malicious traffic their way, or use their servers to reroute malicious traffic elsewhere, experts have claimed.
According to Certitude’s researcher Stefan Proksch, the vulnerabilities can be found in Cloudflare’s Authenticated Origin Pulls, and Allowlist Cloudflare IP Addresses.
The former is a security tool that makes sure HTTPS requests sent to an origin server come through Cloudflare, and not from a third party. Cloudflare’s Allowlist Cloudflare IP Addresses, on the other hand, is a security feature that makes sure only the traffic coming from Cloudflare’s IP addresses reaches the clients’ origin servers.
Logic flaws
The vulnerabilities leverage logic flaws in cross-tenant security controls, made possible by the fact that Cloudflare uses shared infrastructure accepting connections from all tenants. To abuse the flaws, all a threat actor needs is knowledge of the targeted web server’s IP address, and a free Cloudflare attack. As the researcher explained, when configuring the Authenticated Origin Pulls feature, users generate a certificate through Cloudflare, by default. Alternatively, they can upload their own using an API.
Now, given that Cloudflare uses a shared certificate for all customers, all connections originating from Cloudflare are fair game: “An attacker can set up a custom domain with Cloudflare and point the DNS A record to victims IP address,” Proksch said. “The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure.”
“This approach allows attackers to bypass the protection features by the victim.”
To mitigate this issue, users should use custom certificates.
As for the Allowlist Cloudflare IP Addresses tool, if an attacker creates a Cloudflare account and points their domain’s DNS A record to the victim server’s IP address, and turn off all protection features for the custom domain, they can route malicious traffic through Cloudflare’s infrastructure. From the victim’s side, this traffic will be seen as legitimate.
To define a more specific agress IP address range, dedicated to different clients, users should use Cloudflare Aegis, the researcher suggests.
Via BleepingComputer
More from TechRadar Pro
Cloudflare’s Firewall and DDoS prevention tools carry two worrying vulnerabilities that allow threat actors to send malicious traffic their way, or use their servers to reroute malicious traffic elsewhere, experts have claimed. According to Certitude’s researcher Stefan Proksch, the vulnerabilities can be found in Cloudflare’s Authenticated Origin Pulls, and Allowlist…
Recent Posts
- This unpronounceable series of glyphs is an incredible side project from Kieran Hebden (aka Four Tet)
- Kodak EC35 is a dirt-cheap point-and-shoot film camera
- NASA shares beautiful timelapse of the Psyche spacecraft’s view over Mars
- How To use Claude’s Reflect dashboard and learn when it’s time to touch grass
- There’s a sneaky way to watch World Cup final 2026 for FREE
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023