CloudBleed: Another Internet Security Disaster

Share it:
Popular Internet infrastructure service, CloudFlare, which provides security implementation for website has been exposed with a very critical security vulnerability also know as CloudBleed, which effects around 5 millions websites.

Yesterday, A security researcher Tavis Ormandy of Google’s Project Zero uncovered a major vulnerability in the Cloudflare which is an another internet disaster.

While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months. Some of this data was cached publicly in search engines such as Google, and is being removed. Other data might exist in other caches and services throughout the Internet, and obviously it is impossible to coordinate deletion across all of these locations. There is always the potential someone malicious discovered this vulnerability independently and before Tavis, and may have been actively exploiting it, but there is no evidence to support this theory. So it's unclear that hackers has been exploiting the bug earlier.

There are millions of site using CloudFlare service that includes Uber, Okcupid, 1password, FitBit etc.

In an advisory Ormandy wrote-
“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings,”
“We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
- he added.

 How CloudBleed arises?

Cloudbleed is especially interesting because a single character in Cloudflare’s code lead to the vulnerability. A simple codding error caused this bug as like HeartBleed. 

On the blog post CloudFlare detailed about the bug. It the issue stems from the company’s decision to use a new HTML parser called cf-html. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.

Cloudflare ran into trouble when formatting the source code of cf-html and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else.

How to check for CloudBleed?

There is no such evidence that how much users or CloudFlare clients were affected. But CloudFlare claims that very small number of requests lead to leaked data. 

As the Vulnerability was six months old, and there may be chance that hackers were silently exploring the bug and gathering users sensitive data includes password, private keys, personal information etc. So we recommend everyone to change your all online accounts password immediately. 

Till yet the POC has not been released (we will update as we get).

Share it:

CloudBleed

Project Zero

Security

Vulnerability

Post A Comment:

0 comments:

Follow by Email