On February 17, 2017, Google’s Project Zero reported a vulnerability in Cloudflare’s reverse proxy edge servers. In certain cases where three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) were being used, the edge servers would read past the end of a memory buffer and return additional data in the server’s memory. This data could include private and sensitive information such as authentication tokens, cookies, and bodies of HTTP POST requests. This bug is similar to, and gets its name from, the OpenSSL Heartbleed bug.
The issue was first introduced to Cloudflare’s servers on September 22, 2016, and was patched the day after it was reported, on February 18, 2017. Cloudflare reports that the bug’s greatest impact was on February 13 and February 18, affecting around 1 out of every 3.3M HTTP requests they processed, approximately 0.00003% of all Cloudflare requests.
Any app that communicated with a Cloudflare hosted site between September 22, 2016 and February 18, 2017 may have left private information on Cloudflare servers. While very unlikely, this information could then have been exposed by the Cloudbleed vulnerability. In certain cases, such as authentication tokens or passwords, this could allow unauthorized users to access private data on the app’s server. This is not a problem with the app itself, and no update is necessary by app developers in order to fix the issue.
Appthority has observed 40,544 apps in enterprises that communicate over HTTPS to Cloudflare hosted sites. Of these apps, 7,486 send personally identifiable information such as usernames, IPs, or more sensitive information such as passwords; 1,171 require a login over HTTPS.
One additional concern is that malformed web pages with private information may be cached in search engines. Cloudflare worked with major search engines and found 770 URIs on 161 domains that were affected; these have all been cleared from search engine caches.
More information, including a detailed writeup, can be found at Cloudflare’s blog.
While many websites were vulnerable to this memory leakage bug, this was not an attack that could be targeted against specific users or information. Cloudflare has fixed the bug and is actively working with search engine providers on cleanup.
As a best practice, we recommend:
- Creating an Appthority App Policy to identify all apps in your enterprise environment that expose sensitive data to the Cloudbleed reverse proxy memory dump
- Notifying end users to update their password for these apps through your Appthority-EMM compliance workflow
This Appthority policy can be created by using three of Appthority’s configurable detection behaviors: Uses a Cloudflare hosted HTTPS site, Sends PII and Requires Dedicated Credentials. Further instructions can be found here: How to find Cloudbleed Apps in Appthority
Appthority considers this a temporal risk. In 60 days, we plan to reduce the risk score to reflect the lower risk–assuming no exploits have been reported.