[SingCERT] Threat Alert on Cloudflare CloudBleed

Published on Friday, 24 February 2017 23:47

Last updated on 7 March 2017, 15:13

Background
On 18 February 0032 GMT, a critical system vulnerability caused by a parser bug was reported to Cloudflare. On 18 February 0722, Cloudflare determined the root cause and turned off three of its features (namely Email Obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were using the same HTML parser chain which caused the leak.

Many of Cloudflare's services rely on parsing and modifying HTML pages as they pass through the edge servers. Cloudflare's edge servers ran past the end of a buffer, and returned memory that could contain private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of these data were cached by search engines as part their crawling processes.

Affected Websites
Websites that utilised Cloudflare services could be affected.

Impact
Search engines such as Google, Yahoo etc. could have cached some of the leaked memory through their normal crawling and caching processes. Visitors who have keyed in their personal data on affected websites could potentially be at risk.

Mitigation by Cloudflare
Cloudflare has since put in place mitigation measures to address this issue, with an initial patch rollout in 47 minutes. They identified a total of 80,000 unique URLs of such cached content and secured the cooperation of search engine providers to purge them. Cloudflare has also undertaken other search expeditions to look for potentially leaked information on sites like Pastebin and did not find anything.

Cloudflare informed SingCERT that Cloudflare:
  1. Has already notified all the owners of websites that Cloudflare has discovered to be affected so far, and
  2. Will continue to work with them to remediate the problem.
As of 6 March 2017, no .sg domains were found to be affected.

Recommendations For Website Administrators
For Website Administrators
Website administrators should refer to Cloudflare's advisory for further information including recommended measures to mitigate the threat. Website administrators notified by Cloudflare about their affected websites should immediately assess the risk impact and take appropriate remediation measures, including advising their users. For further queries, website administrators should contact their Cloudflare support officer for assistance. Organisations can seek help from SingCERT if they encounter cyber security incidents.

References
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/
https://support.cloudflare.com/hc/en-us/articles/115003625928-Latest-Information-on-the-Cloudflare-Parser-Bug
https://support.cloudflare.com/hc/en-us/articles/200169556-How-can-I-tell-if-Cloudflare-is-caching-my-site-or-a-specific-file-
https://www.lifehacker.com.au/2017/02/cloudflare-cloudbleed-bug-exposes-sensitive-data-who-is-affected/
https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165#.roh17hptm

Revisions
7 March 2017: Revised Recommendations section