"In its report, the cyber-threat hunting firm likens a WAF to the front door and ACME to a hallway that should only be used by a certificate robot to verify domain ownership. When configured correctly, a WAF can help let expected validation traffic through while filtering out many malicious requests, including automated bots. "A certificate robot's hallway should never become a side door," the FearsOff researchers wrote."
"and the CDN says it has patched the vulnerability in its ACME (Automatic Certificate Management Environment) validation logic with no action required from its customers. ACME is a protocol that certificate authorities and services like Cloudflare use to automate the issuance, renewal, and revocation of SSL/TLS certificates. It uses challenges to prove domain ownership before issuing a security certificate, and this is typically done via an HTTP-01 challenge that checks for a validation token at the HTTP path following this format: http://{customer domain}/.well-known/acme-challenge/{token value}."
Cloudflare patched a logic flaw in its WAF ACME HTTP-01 validation that allowed some ACME challenge requests to disable WAF features when a requested path matched an active token. The flaw could let attackers bypass WAF rules and reach origin servers, risking data theft or full server takeover. FearsOff reported the bug via Cloudflare's bug bounty program in October. Cloudflare updated ACME validation logic and says customers need not take action. ACME uses HTTP-01 challenges that verify domain ownership by serving tokens at /.well-known/acme-challenge/{token value}, and WAFs must allow validation traffic without creating attackable side channels.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]