请输入您要查询的百科知识:

 

词条 Cloudbleed
释义

  1. Discovery

  2. Similarities with Heartbleed

  3. Reactions

      Cloudflare    Google Project Zero team    Uber    OKCupid    Fitbit  

  4. Remediation

  5. References

  6. External links

Cloudbleed is a security bug discovered on February 17, 2017 affecting Cloudflare's reverse proxies,[1] which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

As a result, data from Cloudflare customers was leaked out and went to any other Cloudflare customers that happened to be in the server's memory on that particular moment. Some of this data was cached by search engines.[2][3][3][4][5][6]

Discovery

The discovery was reported by Google Project Zero team.[1] Tavis Ormandy[7] posted the issue on his team's issue tracker and said that he informed Cloudflare of the problem on February 17. In his own proof-of-concept attack he got a Cloudflare server to return "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."[1]

Similarities with Heartbleed

In effects, Cloudbleed is similar to the 2014 Heartbleed bug in allowing unauthorized third parties to access data in the memory of programs running on web servers, including data shielded by TLS.[8][12] The extent of Cloudbleed also could have impacted as many users as Heartbleed since it affected a security and content delivery service used by close to 2 million websites.[9][10]

Tavis Ormandy, first to discover the vulnerability, immediately drew a comparison to Heartbleed, saying "it took every ounce of strength not to call this issue 'cloudbleed'" in his report.[1]

Reactions

Cloudflare

On Thursday, February 23, 2017, Cloudflare wrote a post noting that:[11]

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
Cloudflare acknowledged that the memory could have leaked as early as September 22, 2016. The company also stated that one of its own private keys, used for machine-to-machine encryption, has leaked.

It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.[2]
John Graham-Cumming, Cloudflare CTO, noted that Cloudflare clients, such as Uber and OkCupid, weren’t directly informed of the leaks due to the security risks involved in the situation. “There was no backdoor communication outside of Cloudflare — only with Google and other search engines,” he said.[4]

Graham-Cumming also said that "Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it." He added that his team has already begun testing their software for other possible issues.[5]

Google Project Zero team

Tavis Ormandy initially stated that he was "really impressed with Cloudflare's quick response, and how dedicated they are to cleaning up from this unfortunate issue."[1] However, when Ormandy pressed Cloudflare for additional information, "They gave several excuses that didn't make sense,"[12] before sending a draft that "severely downplays the risk to customers."[13]

Uber

Uber stated that the impact on its service was very limited.[8] An Uber spokesperson added "only a handful of session tokens were involved and have since been changed. Passwords were not exposed."[14]

OKCupid

OKCupid CEO Elie Seidman said: "CloudFlare alerted us last night of their bug and we've been looking into its impact on OkCupid members. Our initial investigation has revealed minimal, if any, exposure. If we determine that any of our users has been impacted we will promptly notify them and take action to protect them."[8][14]

Fitbit

A Fitbit representative stated the company is investigating the issue, and that concerned users should change their passwords immediately.[14]

Remediation

Many major news outlets have advised consumers of sites using Cloudflare to change their passwords,[15][16][17][5] even for accounts protected by 2-factor authentication as they could be at risk.[18] Passwords of mobile apps too could have been impacted.[19] Researchers at Arbor Networks, in an alert, suggested that "For most of us, the only truly safe response to this large-scale information leak is to update our passwords for the Web sites and app-related services we use every day...Pretty much all of them." [20]

Inc. Magazine cybersecurity columnist, Joseph Steinberg, however, advised people not to change their passwords, stating that "the current risk is much smaller than the price to be paid in increased 'cybersecurity fatigue' leading to much bigger problems in the future."[21]

References

1. ^{{cite web|url=https://bugs.chromium.org/p/project-zero/issues/detail?id=1139|title=Issue 1139: cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory|date=19 February 2017|publisher=google-security-research group on code.google.com|accessdate=24 February 2017}}
2. ^{{cite web|url=https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/|title=Incident report on memory leak caused by Cloudflare parser bug|date=23 February 2017|publisher=Cloudflare|accessdate=24 February 2017}}
3. ^{{Cite news|url=https://www.wired.co.uk/article/cloudflare-cloudbleed-passwords-leaked-online|title=Cloudflare has been leaking private Uber, Fitbit and Ok Cupid details for months|last=Burgess|first=Matt|newspaper=WIRED UK|access-date=2017-02-24|language=en-GB}}
4. ^{{Cite web|url=https://techcrunch.com/2017/02/23/major-cloudflare-bug-leaked-sensitive-data-from-customers-websites/|title=Major Cloudflare bug leaked sensitive data from customers’ websites|last=Conger|first=Kate|website=TechCrunch|access-date=2017-02-24}}
5. ^{{Cite web|url=http://fortune.com/2017/02/24/cloudflare-leak-bug-sensitive-information/|title=CloudFlare Leaked Sensitive Data Across the Internet For Months|website=Fortune|access-date=2017-02-24}}
6. ^{{Cite news|url=https://www.nytimes.com/reuters/2017/02/24/technology/24reuters-cyber-cloudflare.html|title=Bug Causes Personal Data Leak, but No Sign of Hackers Exploiting: Cloudflare|last=Reuters|date=2017-02-24|newspaper=The New York Times|access-date=2017-02-24|issn=0362-4331}}
7. ^{{Triangulation|288|Marc Rogers}}
8. ^{{Cite news|url=https://www.forbes.com/sites/thomasbrewster/2017/02/24/google-just-discovered-a-massive-web-leak-and-you-might-want-to-change-all-your-passwords/#134d3e43ca3e|title=Google Just Discovered A Massive Web Leak... And You Might Want To Change All Your Passwords|last=Fox-Brewster|first=Thomas|newspaper=Forbes|access-date=2017-02-24}}
9. ^{{Cite web|url=https://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/|title=Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug|last=Thomson|first=Iain|date=24 Feb 2017|website=The Register|archive-url=|archive-date=|dead-url=|access-date=2017-02-24}}
10. ^{{Cite news|url=https://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616|title=Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster|last=Estes|first=Adam Clark|newspaper=Gizmodo|access-date=2017-02-24|language=en-US}}
11. ^{{Cite news|url=http://www.techbuzzin.com/blog/2017/02/25/cloudbleed-cloudflare-memory-leak-bug-explained/|title=CloudBleed memory leak bug explained-How it all happened {{!}} TechBuzzIn™|date=2017-02-25|work=TechBuzzIn™|access-date=2017-03-03|language=en-US}}
12. ^https://bugs.chromium.org/p/project-zero/issues/detail?id=1139#c16
13. ^https://bugs.chromium.org/p/project-zero/issues/detail?id=1139#c19
14. ^{{Cite web|url=http://money.cnn.com/2017/02/24/technology/cloudflare-cloudbleed-security-vulnerability/index.html|title=Why you shouldn't freak out (yet) about the 'Cloudbleed' security leak|last=Larson|first=Selena|date=2017-02-24|website=CNNMoney|access-date=2017-02-24}}
15. ^{{Cite web|url=https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165|title=Cloudbleed: How to deal with it|date=2017-02-24|website=Medium|access-date=2017-02-24}}
16. ^{{Cite news|url=http://www.popularmechanics.com/technology/security/a25380/cloudbleed-explained/|title=Cloudbleed Explained: Flaw Exposes Mountains of Private Data|date=2017-02-24|newspaper=Popular Mechanics|access-date=2017-02-24|language=en}}
17. ^{{Cite news|url=http://www.cio.com/article/3173858/security/cloudflare-bug-exposed-passwords-other-sensitive-data-from-websites.html|title=Cloudflare bug exposed passwords, other sensitive data from websites|last=Constantin|first=Lucian|newspaper=CIO|access-date=2017-02-24|language=en}}
18. ^{{Cite news|url=https://gizmodo.com/cloudbleed-password-memory-leak-cloudflare-1792709635|title=Change Your Passwords. Now.|last=Menegus|first=Bryan|newspaper=Gizmodo|access-date=2017-02-24|language=en-US}}
19. ^{{Cite news|url=https://www.nowsecure.com/blog/2017/02/23/cloudflare-cloudbleed-bugs-impact-mobile-apps/|title=Cloudflare ‘Cloudbleed’ bug impact on mobile apps: Data sample of...|last=Weinstein|first=David|date=2017-02-24|newspaper=NowSecure|access-date=2017-02-24|language=en-US}}
20. ^{{Cite web|url=http://www.darkreading.com/attacks-breaches/cloudflare-leaked-web-customer-data-for-months/d/d-id/1328266?print=yes|title=Dark Reading - Cloudflare Leaked Web Customer Data For Months|website=www.darkreading.com|language=en|access-date=2017-02-25}}
21. ^{{cite news| url=http://www.inc.com/joseph-steinberg/why-you-can-ignore-calls-to-change-your-passwords-after-todays-massive-password-.html |work=Inc. | title=Why You Can Ignore Calls To Change Your Passwords After Today's Massive Password Leak Announcement | date=February 24, 2017 | accessdate=February 24, 2017 |author=Joseph Steinberg |authorlink= }}

External links

  • [https://github.com/pirate/sites-using-cloudflare List of domains using Cloudflare DNS on GitHub]
  • [https://bleed.cloud Simple website that lets you check for affected domains quickly]
  • [https://chrome.google.com/webstore/detail/cloudbleed-bookmark-check/egoobjhmbpflgogbgbihhdeibdfnedii A Chrome extension that checks bookmarks against potentially affected domains]
  • Cloudbleed explained-How the biggest web cache leak on internet happened
  • [https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/ Quantifying the impact of CloudBleed bug]
{{Hacking in the 2010s}}

3 : Internet security|Software bugs|2017 in computer science
随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/9/20 20:51:41