Many organizations utilizing Web application firewall (WAF) services from content delivery network (CDN) providers may unknowingly be exposing their back-end servers to direct attacks over the Internet due to a common configuration error. This issue has affected nearly 40% of Fortune 100 companies that rely on their CDN providers for WAF services, as reported by researchers at Zafran who recently investigated the root cause and extent of the problem. Among the susceptible organizations are well-known brands such as Chase, Visa, Intel, Berkshire Hathaway, and UnitedHealth.
WAFs serve as a layer of defense between users and Web applications, scanning traffic for potential threats and blocking or filtering out any suspicious activity. Many organizations have implemented WAFs to shield their Web applications from vulnerabilities that have not yet been patched. The deployment options for WAFs range from on-premises physical or virtual appliances to cloud- and host-based solutions.
According to Zafran’s findings, there are approximately 2,028 domains belonging to 135 companies in the Fortune 1000 that contain at least one allegedly WAF-protected server vulnerable to direct access by attackers over the Internet. This exposure opens up the possibility for denial-of-service (DoS) attacks, ransomware distribution, and other malicious activities.
Ben Seri, the chief technology officer of Zafran, attributes the misconfiguration responsibility primarily to the customers of CDN/WAF providers. However, he notes that CDN providers offering WAF services also share some accountability for failing to provide customers with adequate risk avoidance measures and neglecting to design their networks and services to prevent misconfigurations from occurring in the first place.
The core issue revolves around organizations failing to sufficiently validate Web requests to their back-end origin servers that host the actual content, applications, or data that users are attempting to access. With a CDN-integrated WAF service, the CDN provider integrates the WAF into its edge infrastructure. Incoming traffic to an organization’s Web applications passes through the CDN’s WAF, a reverse proxy server within the vendor’s edge network. The reverse proxy identifies the intended back-end server for a specific Web request and forwards it in an encrypted manner. However, if organizations do not follow best practices, their back-end servers can be left open to Internet traffic without proper validation measures in place.
IP filtering mechanisms and pre-shared digital secrets recommended by CDN providers can help ensure that only requests from designated IP addresses are allowed access to back-end servers. These security measures, when implemented correctly, safeguard back-end servers from direct exposure to the Internet. Unfortunately, Zafran discovered that many organizations have not implemented these validation precautions, leaving their back-end servers vulnerable to unauthorized access.
Zafran’s researchers found that the IP addresses of enterprise origin services are not as confidential as commonly assumed. Certificate transparency (CT) logs offer attackers and researchers an accessible repository of all SSL/TLS certificates issued to website operators, including domains associated with critical back-end servers and services. This lack of transparency further exacerbates the problem, making it easier for attackers to identify potential targets for exploitation.
Seri emphasizes that the issue is widespread, affecting a significant percentage of domains protected by CDN providers like Cloudflare. To mitigate this threat, cooperation between CDN/WAF providers and their customers is necessary. Zafran is actively working with affected companies and CDN/WAF providers to identify and rectify the misconfigurations swiftly.
In conclusion, the misconfiguration of Web application firewalls within content delivery networks poses a serious security risk for organizations, potentially exposing their back-end servers to malicious attacks. Collaboration between customers and service providers is crucial to implementing and maintaining robust security measures to protect against these vulnerabilities.