Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Webhead
2425 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

#208716 24-Feb-2017 13:08
Send private message

Cloudflare Reverse Proxies are Dumping Uninitialized Memory

 

We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

 

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

 

 

 

This is scary. There is good reason to belive that a lot of peoples passwords and other sensitive data have been compromised through this security bug.

 

Not impressed by Cloudflare dragging their feet in making this exploit public.

 

 


Create new topic
'That VDSL Cat'
11725 posts

Uber Geek

Trusted
Spark
Subscriber

  #1725658 24-Feb-2017 13:12
Send private message

This is certainly a scary one..

 

 

 

@freitasm have an offical comment from cloudflare?





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


695 posts

Ultimate Geek


  #1725669 24-Feb-2017 13:31
Send private message
 
 
 
 


BDFL - Memuneh
65641 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1725670 24-Feb-2017 13:31
One person supports this post
Send private message

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

 

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.





1371 posts

Uber Geek


  #1725675 24-Feb-2017 13:41
Send private message

freitasm:

 

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

 

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

 

 

 

 

It seems every site using Cloudflare is effected as if any customer on a server you shared had any of those features enabled then your data could have been exposed. 


15690 posts

Uber Geek

Trusted
Subscriber

  #1725678 24-Feb-2017 13:45
Send private message

Bit of a nasty bug. Looks like a very responsible response from CloudFlare. The Google guy went a bit overboard with his whining. 




Webhead
2425 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1725684 24-Feb-2017 14:13
Send private message

freitasm:

 

We didn't use those features so I am not worried.

 

 

Its an issue for anyone that has used a site that had this featured turned on.

 

Its prudent to remind people that reusing passwords is a bad idea. But any passwords you have used on sites affected by this vulnerability should also be considered compromised.

 

 

I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

 

 

I just think they took too much time doing it.


286 posts

Ultimate Geek


  #1725740 24-Feb-2017 16:18
Send private message
 
 
 
 


BDFL - Memuneh
65641 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1725745 24-Feb-2017 16:29
Send private message

And there it is - geekzone.co.nz, geekzone.nz, geekzone.co.in, geekzone.co.uk - some of these domains are redirects and never really used so not sure if these are affected or simply use Cloudflare.

 

In any case, as mentioned, another reason for not reusing passwords.





83 posts

Master Geek

Trusted

  #1725748 24-Feb-2017 16:41
One person supports this post
Send private message

freitasm:

 

We didn't use those features so I am not worried. I think their response was effective. 

 

 

Any site that used CloudFlare could have had their data leaked. Only sites that had the features enabled and malformed HTML would leak data in their responses, but the data could belong to any other site that shared the same server. Very similar to HeartBleed in that regard, except this offered it up for free, rather that requiring a specific exploit. I agree that CloudFlare looks to have been fairly responsive on this,  the only legitimate complaint I can see is that they are downplaying the issue a bit.


15690 posts

Uber Geek

Trusted
Subscriber

  #1725755 24-Feb-2017 16:51
Send private message

That's just a list of all websites that use CloudFlare.


286 posts

Ultimate Geek


  #1725792 24-Feb-2017 18:36
Send private message

timmmay:

 

That's just a list of all websites that use CloudFlare.

 

 

 

 

I should have probably added the word 'potentially'





/dev/null
9087 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1726000 25-Feb-2017 01:13
Send private message

Just got an email from Cloudflare:

 

 

Dear Cloudflare Customer:

 

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

 

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

 

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

 

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

 

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

 

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

 

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

 

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

 

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO





BDFL - Memuneh
65641 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #1726145 25-Feb-2017 16:00
2 people support this post
Send private message


Webhead
2425 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #1726177 25-Feb-2017 16:48
Send private message

Wise move. Anyone using Cloudflare for their website should do the same. I have done that to all sites I manage that use Cloudflare.


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Vodafone mobile data plans with unlimited data
Posted 26-Feb-2020 06:55


Vodafone launches innovation initiatives to help businesses use 5G
Posted 26-Feb-2020 05:00


Ultimate Ears HYPERBOOM brings massive sound and extreme bass
Posted 25-Feb-2020 09:00


Withings launches three new devices to help monitor heart health from home
Posted 13-Feb-2020 20:05


Auckland start-up Yourcar matches new car buyers with dealerships
Posted 13-Feb-2020 18:05


School gardens go high tech to teach kids the importance of technology
Posted 13-Feb-2020 11:10


Malwarebytes finds Mac threats outpace Windows for the first time
Posted 13-Feb-2020 08:01


Amazon launches Echo Show 8 in Australia and New Zealand
Posted 8-Feb-2020 20:36


Vodafone New Zealand starts two year partnership with LetsPlay.Live
Posted 28-Jan-2020 11:24


Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.