Cloudbleed – Bandaging the Buffer Overflow
Researchers at Google have uncovered a vulnerability affecting a leading content delivery network (CDN) provider. Users of websites belonging to Uber, OKCupid, and others may have been affected, meaning that some personal information may have been inadvertently shared with other users. The list of potentially affected domains is available. While it is unlikely that any single account has been compromised as a result of this discovery, it is recommended that users with accounts for any of the affected sites change their passwords.
Some vulnerabilities are easier to identify than others. For instance, an internet-facing router or firewall with default credentials can be easily discovered and exploited by an adversary. However, in this case, the identification of the Cloudbleed vulnerability required a much more complex set of tools and techniques. These technical vulnerabilities may go undiscovered in production software for months, or even years. When vulnerabilities like these are finally discovered, they put a potentially widespread customer base at risk. It’s likely that highly technical vulnerabilities which might exist in applications or software designed for internal use may never be discovered. However, when that software is exposed to the internet, there is a constant threat of exploitation from malicious users all over the world. Systems that are exposed to the internet are continually poked and prodded by security researchers and hackers alike.
On February 17th, 2017 Google’s Project Zero team announced the discovery of a technical vulnerability affecting a popular Content Delivery Network provider, Cloudflare. The Cloudflare service acts as an intermediary between clients and servers on the internet, increasing performance and inbound traffic. Cloudflare is a ubiquitous service used by heavyweights like Uber, OKCupid, FitBit, and 1Password. Because each of these companies is using the same CloudFlare infrastructure, each was affected by the vulnerability.
Here’s the problem: in certain cases, requests sent to Cloudflare’s servers would elicit an unexpected response. It turns out that a small percentage of requests were being parsed improperly, and this caused the server to return random chunks from memory back to the user. This is known as a buffer overflow vulnerability. Because sensitive data may be stored in memory, such as session tokens, passwords, encryption keys, and browsing data, what was improperly returned to the user could have contained sensitive information about other users, even users on other sites.
Security researchers uncovered this vulnerability using a technique known as “fuzzing”. This technique automates the sending of requests, and the analysis of the associated responses from web servers on the internet. By sending many different requests, researchers were able to identify those requests that successfully exploited the vulnerability. By bombarding the server with these types of requests, it would be possible to retrieve significant portions of the server’s memory.
Some of the returned memory chunks were cached by browsers and search engines, meaning that whatever information was leaked may still be floating around on the internet. It is recommended that users of the affected sites change their passwords, just to be on the safe side, although it is rather unlikely that the vulnerability was exploited maliciously at any point before it was officially disclosed.
This demonstrates the need for enhanced, security-focused testing of any systems that are exposed to the internet. Further, it is crucial to implement vulnerability management and incident response programs internally, and to integrate external service providers with this program, wherever possible. After all, technical vulnerabilities like these sneak past development teams and IT support teams all the time, so it is vital to have a response strategy, rather than relying on the integrity of any software platform.