Security Incident report on memory leak caused by Cloudflare parser bug

pamamolf · Feb 24, 2017

Hello

It seems a security day today

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.

We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.

Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations formed in San Francisco and London to fully understand the underlying cause, to understand the effect of the memory leakage, and to work with Google and other search engines to remove any cached HTTP responses.

Having a global team meant that, at 12 hour intervals, work was handed over between offices enabling staff to work on the problem 24 hours a day. The team has worked continuously to ensure that this bug and its consequences are fully dealt with. One of the advantages of being a service is that bugs can go from reported to fixed in minutes to hours instead of months. The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).

We are grateful that it was found by one of the world’s top security research teams and reported to us.

This blog post is rather long but, as is our tradition, we prefer to be open and technically detailed about problems that occur with our service.

Parsing and modifying HTML on the fly
Many of Cloudflare’s services rely on parsing and modifying HTML pages as they pass through our edge servers. For example, we can insert the Google Analytics tag, safely rewrite http:// links to https://, exclude parts of a page from bad bots, obfuscate email addresses, enable AMP, and more by modifying the HTML of a page.

To modify the page, we need to read and parse the HTML to find elements that need changing. Since the very early days of Cloudflare, we’ve used a parser written using Ragel. A single .rl file contains an HTML parser used for all the on-the-fly HTML modifications that Cloudflare performs.

About a year ago we decided that the Ragel parser had become too complex to maintain and we started to write a new parser, named cf-html, to replace it. This streaming parser works correctly with HTML5 and is much, much faster and easier to maintain.

We first used this new parser for the Automatic HTTP Rewrites feature and have been slowly migrating functionality that uses the old Ragel parser to cf-html.

Both cf-html and the old Ragel parser are implemented as NGINX modules compiled into our NGINX builds. These NGINX filter modules parse buffers (blocks of memory) containing HTML responses, make modifications as necessary, and pass the buffers onto the next filter.

It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.

Once we knew that the bug was being caused by the activation of cf-html (but before we knew why) we disabled the three features that caused it to be used. Every feature Cloudflare ships has a corresponding feature flag, which we call a ‘global kill’. We activated the Email Obfuscation global kill 47 minutes after receiving details of the problem and the Automatic HTTPS Rewrites global kill 3h05m later. The Email Obfuscation feature had been changed on February 13 and was the primary cause of the leaked memory, thus disabling it quickly stopped almost all memory leaks.

Within a few seconds, those features were disabled worldwide. We confirmed we were not seeing memory leakage via test URIs and had Google double check that they saw the same thing.

We then discovered that a third feature, Server-Side Excludes, was also vulnerable and did not have a global kill switch (it was so old it preceded the implementation of global kills). We implemented a global kill for Server-Side Excludes and deployed a patch to our fleet worldwide. From realizing Server-Side Excludes were a problem to deploying a patch took roughly three hours. However, Server-Side Excludes are rarely used and only activated for malicious IP addresses.

More info at:

Incident report on memory leak caused by Cloudflare parser bug

eva2000 · Feb 24, 2017

pamamolf said: ↑

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
Click to expand...

pamamolf said: ↑

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
Click to expand...

ouch very serious bug ! Thanks for the heads up !

eva2000 · Feb 24, 2017

More info at 1139 - cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory - project-zero - Monorail

On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn't match what I had been expecting. It's not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data...but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.

It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data. The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare - a major cdn service.

A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

This situation was unusual, PII was actively being downloaded by crawlers and users during normal usage, they just didn't understand what they were seeing. Seconds mattered here, emails to support on a friday evening were not going to cut it. I don't have any cloudflare contacts, so reached out for an urgent contact on twitter, and quickly reached the right people.

Tavis Ormandy on Twitter

After I explained the situation, cloudflare quickly reproduced the problem, told me they had convened an incident and had an initial mitigation in place within an hour.

"You definitely got the right people. We have killed the affected services"
Click to expand...

We've been trying to help clean up cached pages inadvertently crawled at Google. This is just a bandaid, but we're doing what we can. Cloudflare customers are going to need to decide if they need to rotate secrets and notify their users based on the facts we know.

I don't know if this issue was noticed and exploited, but I'm sure other crawlers have collected data and that users have saved or cached content and don't realize what they have, etc. We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!).

Really impressed with Cloudflare's quick response, and how dedicated they are to cleaning up from this unfortunate issue. I told them I hoped they were able to get some sleep during the incident, and an engineer responded:

"Its going to be a long weekend for us, but this is really important to us. We need to protect as many people as we can and we need to make sure this can never happen again on our watch.".
Click to expand...

We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

My current theory is that they had some code in their "ScrapeShield" feature that did something like this:

int Length = ObfuscateEmailAddressesInHtml(&OutputBuffer, CachedPage);

write(fd, OutputBuffer, Length);

But they weren't checking if the obfuscation parsers returned a negative value because of malformed HTML. This would explain the data I'm seeing.
Click to expand...

more serious than cloudflare states

Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.

They've left it too late to negotiate on the content of the notification.

Let's hope that their notification in combination with the details from this issue will be adequate explanation of what happened. I think we're waiting for cached links to start expiring, and then we're publishing whether they're ready or not.
Click to expand...

eva2000 · Feb 24, 2017

Cloudflare Data Leak: How to Secure Your Site

Cloudflare has experienced a data leak over a 5 month period that mixed sensitive data between websites and visitors. A visitor to one website using Cloudflare may have seen data from another website using Cloudflare that was being sent to a completely different site visitor.

Some of the leaked data has been indexed by search engines who have been working over the past few days to try and remove the data from their caches.

In this post I am going to explain in simple terms, what occurred and what you need to do about it.

If you are a WordPress user and simply want to know how to secure your site, you can skip to the What Should I Do section below. I have included some information for non-WordPress site owners in that section too.
Click to expand...

From September 22nd, 2016 until February 18th 2017 (last Saturday), Cloudflares servers in some cases mixed data that belonged to one visitor to a website, with data belonging to another visitor that was visiting a completely different website.

The worst data leakage occurred between the dates of February 13th and February 18th when one in every 3.3 million requests to Cloudflare’s servers was leaked.

During the period when the leak occurred, visitors to certain websites would see what appeared to be garbage data mixed into the web page they were viewing. That garbage data was data from a memory leak. The data was in some cases sensitive and included security tokens and other sensitive information.
Click to expand...

What Data Was Leaked?
The data that was leaked could include passwords, cookies and authentication tokens. If an attacker is able to access the text of your cookies, they may be able to use them to sign into your website.

Internal Cloudflare private keys used to secure data being transferred between Cloudflare machines were also leaked.

At this point one should assume that there is a small chance that any private data transferred from any Cloudflare customer website to a site visitor may have been leaked between September 2016 and February of this year.

According to Cloudflare, no private SSL customer keys were leaked from the memory of their servers. A private SSL key is a key used to secure visitor connections to your website. If the your private SSL key is leaked, an attacker could listen in on all traffic to and from your website.
Click to expand...

What Should I Do if I use Cloudflare on my Website?
According to a conversation on Hacker News between the Cloudflare CTO and Tavis Ormandy, the security researcher who discovered this, any customer of Cloudflare’s could have been affected by this data leak.

WordPress site owners: Change your wp-config.php salts. This will log everyone out and invalidate cookies and sessions

If you are using WordPress, we recommend you edit your wp-config.php file and change all of the ‘salts’. This will automatically log all of your users out. This protects you and your site members in case any of their cookies have been stolen. Once you make this change, an attacker will no longer be able to use stolen session cookies from your site to sign in.
Click to expand...

eva2000 · Feb 24, 2017

Also GitHub - pirate/sites-using-cloudflare: List of domains using Cloudflare (potentially affected by the CloudBleed HTTPS traffic leak)

This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised. This list will be narrowed down to the affected domains as I get more information. This is a (work-in-progress) list of domains possibly affected by the CloudBleed HTTPS traffic leak. Original vuln thread by Google Project Zero.

Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I'm compiling an unofficial list here so you know what passwords to change.
Click to expand...

eva2000 · Feb 25, 2017

http://www.bbc.com/news/technology-39077611

Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.

The firm protects websites by routing their traffic through its own network, filtering out hack attacks.

It has 4 million clients, including banks, governments and shopping sites.

Customers wouldn't necessarily know which of the online services they use run on Cloudflare as it is not visible.

The bug came to light while Cloudflare was migrating from older to newer software between 13 - 18 February.

Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom.
Click to expand...

eva2000 · Feb 25, 2017

Cloudflare's 'Cloudbleed' Bug Exposes Sensitive Data: Who Is Affected?

who to believe

According to Cloudflare: "The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests)."

But Ormandy argued that Cloudflare was being disingenuous and claimed, based on Google's cached data, the bug had existed for months.
Click to expand...

A lot of Cloudflare's services rely on parsing HTML pages and modifying them through the company's edge servers.

Of course, if you're using Cloudflare services in front of your website, this has the potential to impact you as the bug could have exposed sensitive data that flowed between your back-end servers and end-users via CloudFlare's proxies.

But even if you don't use Cloudflare directly, there is a chance that websites you visit and web services you use may have been affected.
Click to expand...

Critically, major sites and even password managers may have had sensitive data exposed even if it was sent through HTTPS, which is meant to encrypt the traffic. According to Ormandy:

I don't know if this issue was noticed and exploited, but I'm sure other crawlers have collected data and that users have saved or cached content and don't realize what they have, etc. We've discovered (and purged) cached pages that contain private messages from well-known services, PII from major sites that use Cloudflare, and even plaintext API requests from a popular password manager that were sent over https (!!).

There were claims that data from password manager 1Password was leaked but the company has since come out to refute this.
Click to expand...

eva2000 · Feb 25, 2017

http://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616

How does Cloudbleed work?
For you geeks out there, Cloudbleed is especially interesting because a single character in Cloudflare’s code lead to the vulnerability. It appears to be a simple coding error, though we’ve reached out to Cloudflare for information on what exactly happened. (Update: Cloudflare called us back and explained some things.) Based on what’s been reported, it appears that Cloudbleed works a bit like Heartbleed in how it leaks information during certain processes. The scale of Cloudbleed also looks like it could impacts as many users as Heartbleed, as it affects a common security service used by many websites.

According to a Cloudflare blog post, the issue stems from the company’s decision to use a new HTML parser called cf-html. An HTML parser is an application that scans code to pull out relevant information like start tags and end tags. This makes it easier to modify that code.

Cloudflare ran into trouble when formatting the source code of cf-html and its old parser Ragel to work with its own software. An error in the code created something called a buffer overrun vulnerability. (The error involved a “==” in the code where there should have been a “>=”.) This means that when the software was writing data to a buffer, a limited amount of space for temporary data, it would fill up the buffer and then keep writing code somewhere else. (If you’re dying for a more technical explanation, Cloudflare laid it all out in a blog post.)

In plain English, Cloudflare’s software tried to save user data in the right place. That place got full. So Cloudflare’s software ended up storing that data elsewhere, like on a completely different website. Again, the data included everything from API keys to private messages. The data was also cached by Google and other sites, which means that Cloudflare now has to hunt it all down before hackers find it.
Click to expand...

Sametto Chan · Feb 27, 2017

I just changed for API Key and CloudFlare account.

eva2000 · Mar 2, 2017

Quantifying the Impact of "Cloudbleed"

Last Thursday we released details on a bug in Cloudflare's parser impacting our customers. It was an extremely serious bug that caused data flowing through Cloudflare's network to be leaked onto the Internet. We fully patched the bug within hours of being notified. However, given the scale of Cloudflare, the impact was potentially massive.

The bug has been dubbed “Cloudbleed.” Because of its potential impact, the bug has been written about extensively and generated a lot of uncertainty. The burden of that uncertainty has been felt by our partners, customers, our customers’ customers. The question we’ve been asked the most often is: what risk does Cloudbleed pose to me?

We've spent the last twelve days using log data on the actual requests we’ve seen across our network to get a better grip on what the impact was and, in turn, provide an estimate of the risk to our customers. This post outlines our initial findings.

The summary is that, while the bug was very bad and had the potential to be much worse, based on our analysis so far: 1) we have found no evidence based on our logs that the bug was maliciously exploited before it was patched; 2) the vast majority of Cloudflare customers had no data leaked; 3) after a review of tens of thousands of pages of leaked data from search engine caches, we have found a large number of instances of leaked internal Cloudflare headers and customer cookies, but we have not found any instances of passwords, credit card numbers, or health records; and 4) our review is ongoing.

To make sense of the analysis, it's important to understand exactly how the bug was triggered and when data was exposed. If you feel like you've already got a good handle on how the bug got triggered, click here to skip to the analysis.
Click to expand...

Log in / Register

Forums

Join the community today

Security Incident report on memory leak caused by Cloudflare parser bug

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sametto Chan Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Security Incident report on memory leak caused by Cloudflare parser bug

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Sametto Chan Member

eva2000 Administrator Staff Member

.