Mitigation of ACME Validation Logic Vulnerability in Cloudflare

Cloudflare recently addressed a vulnerability in its ACME (Automatic Certificate Management Environment) validation logic that could have disabled WAF (Web Application Firewall) features on specific ACME-related paths. Researchers from FearsOff identified and reported the issue through Cloudflare's bug bounty program. The vulnerability was rooted in how Cloudflare's edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*).

Technical Details

ACME is a protocol used to automate the issuance, renewal, and revocation of SSL/TLS certificates. When an HTTP-01 challenge is used to validate domain ownership, a Certificate Authority (CA) expects to find a validation token at the HTTP path following the format of http://{customer domain}/.well-known/acme-challenge/{token value}. Cloudflare's edge network would respond on this path and provide the token provided by the CA to the caller. However, if the token provided did not correlate to a Cloudflare-managed order, the request would be passed on to the customer origin.

Mitigation

To mitigate this issue, a code change was released that only allows the set of security features to be disabled in the event that the request matches a valid ACME HTTP-01 challenge token for the hostname. This ensures that WAF features are not disabled when serving ACME challenge tokens for non-Cloudflare-managed zones.

Practical Implications

Cloudflare customers do not need to take any action as the vulnerability has been patched. Cloudflare encourages the community to submit any identified vulnerabilities to help improve the security posture of its products and platform.