Cloudflare has fixed a flaw in its web application firewall (WAF) that allowed attackers to bypass security rules and directly access origin servers, which could lead to data theft or full server takeover.
FearsOff security researchers reported the bug in October through Cloudflare’s bug bounty program, and the CDN says it has patched the vulnerability in its ACME (Automatic Certificate Management Environment) validation logic with no action required from its customers.
ACME is a protocol that certificate authorities and services like Cloudflare use to automate the issuance, renewal, and revocation of SSL/TLS certificates.
It uses challenges to prove domain ownership before issuing a security certificate, and this is typically done via an HTTP-01 challenge that checks for a validation token at the HTTP path following this format: http://{customer domain}/.well-known/acme-challenge/{token value}.
In its report, the cyber-threat hunting firm likens a WAF to the front door and ACME to a hallway that should only be used by a certificate robot to verify domain ownership. When configured correctly, a WAF can help let expected validation traffic through while filtering out many malicious requests, including automated bots.
“A certificate robot’s hallway should never become a side door,” the FearsOff researchers wrote.
The “side door” in this case was caused by a logic flaw in how Cloudflare processed some ACME challenge requests.
“Previously, when Cloudflare was serving a HTTP-01 challenge token, if the path requested by the caller matched a token for an active challenge in our system, the logic serving an ACME challenge token would disable WAF features, since Cloudflare would be directly serving the response,” Cloudflare explained in a Monday blog.
“This is done because those features can interfere with the [certificate authority’s] ability to validate the token values and would cause failures with automated certificate orders and renewals,” it continued.
However, the logic in this case failed to verify that the token in the request matched an active challenge for the hostname, and this would allow an attacker to completely bypass the WAF security controls and reach the origin server.
Cloudflare fixed the flaw on October 27 by pushing code that only allows the WAF features to be disabled if the request matches a valid ACME HTTP-01 challenge token for the hostname.
While there’s no evidence that miscreants found and abused the security hole before Cloudflare fixed the issue, the bug hunters say that this type of WAF bypass becomes an even bigger threat to organizations in the face of AI-driven attacks.
“Automated tools powered by machine learning can rapidly enumerate and exploit exposed paths like /.well-known/acme-challenge/, probing for framework-specific weaknesses or misconfigurations at scale,” FearsOff wrote in a Monday analysis. “For instance, an AI model trained to identify servlet traversal quirks or PHP routing bugs could chain this bypass with targeted payloads, turning a narrow maintenance path into a broad attack vector.” ®