Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cloudflare data leak...what does it mean to me? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cloudflare data leak...what does it mean to me?

The ISC has received several requests asking us to weigh in on the ramifications of the Cloudflare data leak, also being referred to by some as CloudBleed.

The short version of the vulnerability is that in rare situations, a bug in Cloudflare's edge servers could be triggered, which would cause a buffer overrun to occur. When these buffer overruns occurred, random data would be returned in the replies from the Cloudflare servers. Private chat messages, user logins and passwords, and many other bits of data were found in the random data. This data would be data from any of Cloudflare's customer applications, which is a very big list of some of the most popular sites on the Internet.  Potentially over 4 million domains. (Partial list of popular sites and the full list are available here).  Most seriously, these pages, containing random data, were cached to Google's search results (those results have now been scrubbed of Cloudflare data).  

It is believed that this vulnerability was present from 22 Sept, 2016 until 18 Feb. 2017.

What does this mean to you?  Unfortunately, the data leak means that this needs to be treated as another data breach. If you have an account on any Cloudflare hosted application, which we almost certainly all do, it is time to go and change your passwords.  I would also strongly recommend that you use this as an opportunity to enable 2-factor authentication on any application that supports it.


UPDATE 20170224 17:45 UTC: It appears Cloudflare customers have started sending out password change requests. I just received my first a few minutes ago.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)


324 Posts
ISC Handler
Feb 24th 2017
What can we do to better protect against these flareups?

1 Posts
My mantra for my credentials are:

Use alternate forms of authentication wherever possible (certificates, soft-tokens, SMS, etc)
Avoid password reuse
Enable two-factor authentication wherever it is available.

I have been lobbying to eliminate passwords completely for many years. Switch authentication from "something you know" to "something you have". I agree that both is more secure, but I have had many conversations with design managers that boil down to "if I make all my users authenticate twice then they will not use my app". I contend that if we are only going to use one type of authentication then "something you have" is more secure, since "something you know" needs to be stored and requires a great deal of capability to secure it from leaks.

324 Posts
ISC Handler
Why not use multi-authentication instead. Something you know - password, something you have - smart card, something you are - eg. normal resting pulse rate measured by attached usb device or something similar?

13 Posts

Sign Up for Free or Log In to start participating in the conversation!