Full Report
ACME validation had a challenge-request hole Cloudflare has fixed a flaw in its web application firewall (WAF) that allowed attackers to bypass security rules and directly access origin servers, which could lead to data theft or full server takeover.…
Analysis Summary
# Vulnerability: Cloudflare WAF Bypass via Improper ACME Challenge Validation
## CVE Details
- CVE ID: Not assigned in the provided text (Referred to as a "flaw")
- CVSS Score: Not provided
- CWE: Potential CWE-20 or CWE-642 (Input Validation Error or Improper Restriction of XML External Entity Reference) related to improper path validation.
## Affected Systems
- Products: Cloudflare Web Application Firewall (WAF) used in conjunction with ACME validation logic.
- Versions: Unspecified, prior to the fix deployed on October 27th.
- Configurations: Any configuration using Cloudflare's WAF where ACME HTTP-01 challenges were being served.
## Vulnerability Description
A logic flaw existed in how Cloudflare served HTTP-01 ACME challenge tokens. When an incoming request path matched the pattern for an active ACME challenge (`/.well-known/acme-challenge/{token value}`), the WAF features would be disabled because Cloudflare directly served the expected validation response. The vulnerability was that the logic *failed to verify that the specific token in the request actually matched an active challenge for the current hostname*. This allowed an attacker to supply an arbitrary path matching the challenge format, trigger the WAF bypass logic inadvertently, and thus gain direct access to the origin server behind the WAF, bypassing all security controls.
## Exploitation
- Status: Not explicitly stated as being exploited in the wild, but PoC potential is high given the mechanism. Researcher analysis suggests high automation potential.
- Complexity: Low to Medium (Requires knowledge of the ACME path structure and timing/coordination if the challenge must appear "active").
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential for data theft by accessing the origin server)
- Integrity: High (Potential for data tampering or configuration changes on the origin server)
- Availability: Medium (Depends on the exploit payload used against the origin server)
## Remediation
### Patches
- The flaw was fixed by Cloudflare on October 27th. The update ensures WAF features are only disabled if the request path matches a **valid ACME HTTP-01 challenge token specifically for that hostname**.
- No action was required from customers as the fix was implemented on Cloudflare's infrastructure.
### Workarounds
- No specific customer workarounds were detailed, as the vendor mitigated the service-side flaw directly.
## Detection
- **Indicators of compromise**: Look for suspicious traffic directed towards origin servers despite WAF being active, specifically requests utilizing the `/.well-known/acme-challenge/` path that are *not* legitimate certificate validation attempts.
- **Detection methods and tools**: Monitoring WAF logs for bypassed requests or unexpected connections reaching the origin server IP address directly, especially those matching the known ACME path format.
## References
- Vendor Advisory: cloudflare.com/blog/acme-path-vulnerability (defanged)
- Researcher Report: fearsoff.org/research/cloudflare-acme (defanged)