Site icon Sophos News

Cloudflare chief pledges third-party review of code

Bad as Cloudbleed is, there’s no evidence attackers exploited it before the patch was deployed. But since the vulnerability was triggered more than 1.2m times from 6,500 sites, Cloudflare is taking no chances: the company has tapped an outside company, Veracode, to scour its code.

CEO Matthew Prince pledged the external review as he set out a detailed update after 12 days of investigation. That update includes a synopsis of how the vulnerability was created and who faced the most risk. He said Cloudflare continues to work with Google and others to eliminate all leaked data from memory:

We’ve successfully removed more than 80,000 unique cached pages. That underestimates the total number because we’ve requested search engines purge and re-crawl entire sites in some instances.

Cloudbleed is a serious vulnerability in Cloudflare’s internet infrastructure that Google Project Zero researcher Tavis Ormandy discovered in mid-February. It turned out that a single character in Cloudflare’s code caused the problem. In its initial blog post on the matter, Cloudflare said the issue stemmed from its decision to use a new HTML parser called cf-html.

Defining the trigger

In his update, Prince said Cloudbleed was triggered when a page with two characteristics was requested through Cloudflare’s network. The two characteristics were:

  1. The HTML on the page needed to be broken in a specific way; and
  2. A particular set of Cloudflare features needed to be turned on for the page in question.

He said:

When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure. Contents of the other customers’ requests are also in adjacent portions of memory on Cloudflare’s servers. The bug caused the parser, when it encountered unterminated attribute at the end of a page, to not stop when it reached the end of the portion of memory for the particular page being parsed. Instead, the parser continued to read from adjacent memory, which contained data from other customers’ requests.

How Cloudflare customers can protect themselves

In a previous article on Cloudbleed, Naked Security offered tips Cloudflare customers can use to protect themselves from future exploits. The guidance was provided by Ryan Lackey, a well-known industry professional and former Cloudflare employee. He suggested the following:


Exit mobile version