59

In Project Zero #1139, it was disclosed that CloudFlare had a bug which disclosed uninitialized memory, leaking private data sent through them via SSL. What's the real impact?

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171

1 Answers1

48

Compared to the famous HeartBleed bug leak, this is similar in some ways: the uninitialized memory exposure means unrelated private data is disclosed.

The things that are better

  • This only affected code running on CloudFlare, and the bug ceased to function an hour after notification. No new data can be leaked via this bug.

  • If somebody had awareness of this bug, they couldn't target an individual with it. The dumped sessions appear to be random.

  • CloudFlare has logs, and they have disclosed no indication that anybody knew of and exploited this bug.

The things that are worse

  • The size of the uninitialized memory dumps is huge. They regularly capture full HTTP headers and substantial sections of the request body. This pretty much gives away all the data required to hijack a session, and if a login session was captured, it would of course include the password.

  • It was free-session-roulette. Repeated requests to invalid URLs would just dump more and more random data.

  • If somebody were aware of this, they could have crafted a page that caused it to create nearly arbitrary size data dumps, or even just repeatedly hit an already existing invalid URL.

  • An end user could be compromised without any weakness in the part of the website or the user.

  • A few unlucky users will still have that leaked data existing in caches after this disclosure, and they're going to be very widely disclosed. If those session cookies aren't invalidated, it's practically guaranteed somebody will log into their accounts.

How can somebody address an incident like this?

Limiting session token lifetimes and making use of proper two-factor authentication would address the long-term leaking of data, preventing somebody from acquiring a long-lived session. Customers of CloudFlare could invalidate all session cookies and force rotation of all passwords, though that's unlikely to happen.

What does this mean to me?

CloudFlare claims that no private SSL keys were leaked as they did termination within separate processes, so while the class of bug would normally raise concern there, it doesn't in this particular case.

It's a great lesson in the security community of thinking about possible long-term bugs that have a massive blast radius. Most people are likely completely unaffected, though as noted above a few people will have lost the Bad Luck Lottery.

Jonathan Leffler
  • 156
  • 5
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • [tinfoil]considering this: https://twitter.com/joepie91/status/834912842293850113 is there a list anywhere of all sites sitting behind CF? or should a person go and change all passwords anyway? [/tinfoil] – Federico Feb 24 '17 at 08:59
  • 6
    @Federico There's a list on https://github.com/pirate/sites-using-cloudflare/blob/master/README.md which contains a zipfile of 22MB which contains some 4.2 million domains... There's also a list of (possibly) affected iOS apps: https://www.nowsecure.com/blog/2017/02/23/cloudflare-cloudbleed-bugs-impact-mobile-apps/ – RobIII Feb 24 '17 at 12:05
  • PSA (that should be added to Jeff's answer): the full list of sites tainted by Clusterflare/Cloudf***^H^H^H^Hbleed is located at https://github.com/pirate/sites-using-cloudflare. Grep it and weep. Change passwords and do not re-use them. – citizen5 Feb 24 '17 at 10:27
  • 5
    Note that this is a list of _sites using CloudFlare_ not _sites using CloudFlare features that allowed the buffer overrun to happen_. – CAD97 Feb 24 '17 at 13:44
  • 4
    In the first 3 sentences of that GitHub: " Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.". – J.A.K. Feb 24 '17 at 13:56
  • 2
    @CAD97 Note from their post Cloudflare cite that the bug could cause data from sites *not* using these features to have been leaked when cites meeting the conditions were hit. "Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site" https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ – pwdst Feb 24 '17 at 19:04
  • 1
    @pwdst CloudFlare has lots of products. The DNS ones aren't relevant. The proxied HTTPS is. That list includes anybody who has something served via CloudFlare, even if it's not HTTPS access to the website. – Jeff Ferland Feb 24 '17 at 20:43
  • 1
    Cloudflare's own write-up https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ – JesseM Feb 25 '17 at 01:19
  • @CAD97 Until and unless Cloudflare coughs up a more accurate list of potentially affected domains, all we can do is assume worst case. – Shadur Feb 25 '17 at 10:42