Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Webhead
2232 posts

Uber Geek
+1 received by user: 772

Moderator
Trusted
Lifetime subscriber

# 208716 24-Feb-2017 13:08
Send private message

Cloudflare Reverse Proxies are Dumping Uninitialized Memory

 

We keep finding more sensitive data that we need to cleanup. I didn't realize how much of the internet was sitting behind a Cloudflare CDN until this incident.

 

The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

 

 

 

This is scary. There is good reason to belive that a lot of peoples passwords and other sensitive data have been compromised through this security bug.

 

Not impressed by Cloudflare dragging their feet in making this exploit public.

 

 





Create new topic
'That VDSL Cat'
10213 posts

Uber Geek
+1 received by user: 2455

Trusted
Spark
Subscriber

  # 1725658 24-Feb-2017 13:12
Send private message

This is certainly a scary one..

 

 

 

@freitasm have an offical comment from cloudflare?





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


604 posts

Ultimate Geek
+1 received by user: 128


  # 1725669 24-Feb-2017 13:31
Send private message
 
 
 
 


BDFL - Memuneh
63368 posts

Uber Geek
+1 received by user: 13872

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1725670 24-Feb-2017 13:31
One person supports this post
Send private message

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

 

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.





1370 posts

Uber Geek
+1 received by user: 17


  # 1725675 24-Feb-2017 13:41
Send private message

freitasm:

 

Reading through the linked thread/disclosure I see Cloudflare had turned off the features causing the issue when notified, four days ago. I also see they have already provided a post-morten here.

 

We didn't use those features so I am not worried. I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

 

 

 

 

It seems every site using Cloudflare is effected as if any customer on a server you shared had any of those features enabled then your data could have been exposed. 


14761 posts

Uber Geek
+1 received by user: 2746

Trusted
Subscriber

  # 1725678 24-Feb-2017 13:45
Send private message

Bit of a nasty bug. Looks like a very responsible response from CloudFlare. The Google guy went a bit overboard with his whining. 




Webhead
2232 posts

Uber Geek
+1 received by user: 772

Moderator
Trusted
Lifetime subscriber

  # 1725684 24-Feb-2017 14:13
Send private message

freitasm:

 

We didn't use those features so I am not worried.

 

 

Its an issue for anyone that has used a site that had this featured turned on.

 

Its prudent to remind people that reusing passwords is a bad idea. But any passwords you have used on sites affected by this vulnerability should also be considered compromised.

 

 

I think their response was effective. I wonder why the OP wrote "Not impressed by Cloudflare dragging their feet in making this exploit public." when the thread in question already had a response from Cloudflare (including a link to the post-morten) 30 minutes before this Geekzone thread was live.

 

 

I just think they took too much time doing it.





286 posts

Ultimate Geek
+1 received by user: 70


  # 1725740 24-Feb-2017 16:18
Send private message
BDFL - Memuneh
63368 posts

Uber Geek
+1 received by user: 13872

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1725745 24-Feb-2017 16:29
Send private message

And there it is - geekzone.co.nz, geekzone.nz, geekzone.co.in, geekzone.co.uk - some of these domains are redirects and never really used so not sure if these are affected or simply use Cloudflare.

 

In any case, as mentioned, another reason for not reusing passwords.





81 posts

Master Geek
+1 received by user: 19

Trusted

  # 1725748 24-Feb-2017 16:41
One person supports this post
Send private message

freitasm:

 

We didn't use those features so I am not worried. I think their response was effective. 

 

 

Any site that used CloudFlare could have had their data leaked. Only sites that had the features enabled and malformed HTML would leak data in their responses, but the data could belong to any other site that shared the same server. Very similar to HeartBleed in that regard, except this offered it up for free, rather that requiring a specific exploit. I agree that CloudFlare looks to have been fairly responsive on this,  the only legitimate complaint I can see is that they are downplaying the issue a bit.


14761 posts

Uber Geek
+1 received by user: 2746

Trusted
Subscriber

  # 1725755 24-Feb-2017 16:51
Send private message

That's just a list of all websites that use CloudFlare.


286 posts

Ultimate Geek
+1 received by user: 70


  # 1725792 24-Feb-2017 18:36
Send private message

timmmay:

 

That's just a list of all websites that use CloudFlare.

 

 

 

 

I should have probably added the word 'potentially'





Mr Snotty
8619 posts

Uber Geek
+1 received by user: 4512

Moderator
Trusted
Lifetime subscriber

  # 1726000 25-Feb-2017 01:13
Send private message

Just got an email from Cloudflare:

 

 

Dear Cloudflare Customer:

 

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

 

https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

 

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache.

 

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

 

In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

 

Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

 

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

 

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

 

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO





BDFL - Memuneh
63368 posts

Uber Geek
+1 received by user: 13872

Administrator
Trusted
Geekzone
Lifetime subscriber



Webhead
2232 posts

Uber Geek
+1 received by user: 772

Moderator
Trusted
Lifetime subscriber

  # 1726177 25-Feb-2017 16:48
Send private message

Wise move. Anyone using Cloudflare for their website should do the same. I have done that to all sites I manage that use Cloudflare.





Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07


Techweek starting around NZ today
Posted 20-May-2019 09:52


Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.