"The vulnerability exploited the ACME (Automatic Certificate Management Environment) protocol, which automatically validates SSL/TLS certificates. Certificate Authorities determine the owner of a site by having websites offer a one-time token on the path /.well-known/acme-challenge/{token}. Web administrators use this path to automatically hand over certificates. It is one of the advantages of using Cloudflare, as it eliminates the need for manual certificate updates."
"PHP applications with local file inclusion vulnerabilities became exploitable, allowing attackers to access the file system via malicious path parameters. FearsOff created demonstration hosts such as cf-php.fearsoff.org to show that normal requests called up block pages, but ACME path requests returned responses from the origin server. FearsOff reported the vulnerability on October 9 via Cloudflare's HackerOne bug bounty program. Cloudflare began validation on October 13, after which HackerOne triaged the issue on October 14."
Cloudflare's WAF bypass allowed requests to the /.well-known/acme-challenge/ path to reach origin servers when the requested ACME token did not match a Cloudflare certificate order. The ACME protocol uses one-time tokens on that path to validate SSL/TLS certificates. Cloudflare had disabled WAF evaluation for that path to permit certificate issuance, but an error routed unmatched requests to origin without WAF filtering. Attackers could exploit this to retrieve database credentials, API and cloud tokens, and to leverage PHP local file inclusion flaws. FearsOff reported the issue on October 9 and Cloudflare implemented a permanent fix on October 27.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]