Cloudflare Reverse Proxies are Dumping Uninitialized Memory - Sensationalist Headlines

[QUOTE=SGTNAPALM;51866780]Whose uninitialized memory? My memory, or Cloudflare servers' memory?[/QUOTE] The Cloudflare servers.

[QUOTE=SGTNAPALM;51866780]Whose uninitialized memory? My memory, or Cloudflare servers' memory? Did my browser transmit this data to the faulty Cloudflare website, or did the Cloudflare website not receive any "unkosher" memory from me but still leak its own memory and all that entails?[/QUOTE] If you're using Cloudflare's services, your webpage is being "handed" to the user by cloudflare. Ever use a proxy in school to get to your favorite game site? Think of Cloudflare as one of those proxies. Cloudflare fucked up and "dumped" secrets from other websites that it handles onto your website, and vice versa

[QUOTE=RocketSnail;51866796]If you're using Cloudflare's services, your webpage is being "handed" to the user by cloudflare. Cloudflare fucked up and "dumped" secrets from other websites onto your website and vice versa[/QUOTE] Other websites also using the cloudflare service, correct? Not just any website? This cloudflare exploit isn't reading my cookies or anything and sharing them, correct? Because you're making this sound as if EVERY WEBSITE EVER is at risk now.

[QUOTE=SGTNAPALM;51866799]Other websites also using the cloudflare service, correct? Not just any website?[/QUOTE] Correct

Alright, thanks for the clarification.

cloudflare has been a massive security risk since day one. why anyone uses it is beyond me. it seems like every other month they're at fault for some sort of massive security breech

[QUOTE=butre;51866809]cloudflare has been a massive security risk since day one. why anyone uses it is beyond me. it seems like every other month they're at fault for some sort of massive security breech[/QUOTE] It has also provided security to a gigantic number of websites and prevented who knows how many denial of service attacks against small websites that can't protect themselves.

Maybe update the title to "Cloudflare Reverse Proxies [B]were [/B]Dumping Uninitialized Memory"?

[QUOTE=Gbps;51866763]It's not a 0 day if it's patched... I'm searching caches right now. I can't find a hit on facepunch.com Please with the sensationalism here. [/QUOTE] Sorry, this is my fault with wording and capitals. I am meaning that even though there are no still publicly avaliable cache or online dumps of information opened in this way, I know this has been used before Tavis' tweet to cloudflare. To credit of google and cloudflare, they have done good job handling this issue, but cleaning of public avaliable cache and possible dumps does not remove information from the abusers. So I am trying to say, please do not consider there are no publicly avaliable dumps as reason to not change your password. Sorry. [quote]This isn't true. Google hasn't removed all the caches and that isn't even the last of it. At the very least you have DuckDuckGo, Baidu, and Bing needing to be purged[/quote] According to cloudflare they have and are still working? Or else they would not reveal before because people would search these public cache for the information.

[QUOTE=Darth_Toast;51866820]Maybe update the title to "Cloudflare Reverse Proxies [B]were [/B]Dumping Uninitialized Memory"?[/QUOTE] Please do, I literally copied the source's title, I figured changing the title was against the rules [editline]23rd February 2017[/editline] [QUOTE=mn_chaos;51866825]Sorry, this is my fault. I am meaning that even though there are no still avaliable cache or online dumps of information opened in this way, I know this has been used before Tavis' tweet to cloudflare. So I am trying to say, please do not consider there are no publicly avaliable dumps as reason to not change your password. Sorry.[/QUOTE] This isn't true. Google hasn't removed all the caches and that isn't even the last of it. At the very least you have DuckDuckGo, Baidu, and Bing needing to be purged

[QUOTE=Gbps;51866815]It has also provided security to a gigantic number of websites and prevented who knows how many denial of service attacks against small websites that can't protected themselves.[/QUOTE] denial of service attacks are a minor issue compared to the other problems cloudflare causes.

Reading their blog post, they handled it extremely openly and professionally. Sucks that it happened, but props to them for mitigating as much damage as they possibly could.

[QUOTE=butre;51866839]denial of service attacks are a minor issue compared to the other problems cloudflare causes.[/QUOTE] They work as an IDS too, actively blocking known attacks as well. They provide a nice range of enterprise-class services for cheap to free. I'm not sure what scandal you think they're about other than "big=bad" mentality. I'm friends with a couple security engineers over there and they're very competent people.

Imagine being the guy to discover this. You go into work one day, find out about this massive exploit, and then that sinking feeling in your stomach as you realize you're going to have to explain it to your superiors. Can't think of a worse emotion. On topic: How important is it that I change my passwords? I know it's not [I]safe[/I] to leave them, but if I'm using 2FA mostly anyways, just how bad is it?

All this shit happened last week. Cloudflare is shit at PR and took almost a week to let people know. Google was about to just release it all out into the wild if they didnt release info. Unless a hacker was able to get the right page with the right info that was in memory at that exact moment and knew what the hell to look for, your fine. No point to change every last password (because that is what you are going to have to do because literally every site you use uses cloudflare and waste a day) until much more info is released. Yea its like heartbleed (which this is going to be called cloudbleed because people are unoriginal) but you dont have control over how much data you get back from the server. You literally dont need to do anything unless you notice things being weird or random password reset emails, THEN YOU CAN FREAK OUT.

[QUOTE=Gbps;51866736]Personally, as a security engineer, I know it would be a nightmare to be at Cloudflare security right now. That being said, they did everything they could do. 1) They identified and stopped the service leaking the data 47 minutes after the vulnerability was discovered. This is a very fast turnaround time. Sometimes it takes companies months to patch. 2) They fixed the vulnerability and had the patched service up in a few days 3) They worked with search engine companies to purge caches of known vulnerable pages 4) They were 100% transparent on their blog about the problem, its cause, and what they did to solve it, and what they will do in the future to prevent it. It's like a spacecraft crash. It's horrible, but it is highly unlikely to affect you, and it also doesn't mean NASA isn't qualified to send people into space anymore. Feel me?[/QUOTE] All things considered, that's a pretty professional response from them. I'm surprised they did all that in such a short time, so massive kudos to them.

[QUOTE=jordguitar;51867236]All this shit happened last week. Cloudflare is shit at PR and took almost a week to let people know. Google was about to just release it all out into the wild if they didnt release info. Unless a hacker was able to get the right page with the right info that was in memory at that exact moment and knew what the hell to look for, your fine. No point to change every last password (because that is what you are going to have to do because literally every site you use uses cloudflare and waste a day) until much more info is released. Yea its like heartbleed (which this is going to be called cloudbleed because people are unoriginal) but you dont have control over how much data you get back from the server. You literally dont need to do anything unless you notice things being weird or random password reset emails, THEN YOU CAN FREAK OUT.[/QUOTE] What are you talking about? As soon as Google told them, they stopped the affected services preventing the exploit from happening further. After that they worked to patch it and to get the biggest public caches cleared before they let out people could search for it. When they did release the news, they were open and honest about it. They handled the situation perfectly.

[QUOTE=jordguitar;51867236]Google was about to just release it all out into the wild if they didnt release info.[/QUOTE] If by "was about to" you mean "in 90 days" then sure. [sp]90 days is the Project Zero "fix this or we tell everyone" deadline[/sp]

[QUOTE=RocketSnail;51866635]This broke 2 hours ago. it's advised to change passwords on any website that uses Cloudflare's services Sites that are suspected to have been vulnerable to this bug (literally this is huge, this news broke 2 hours ago and effected thousands of websites): OKCupid Uber 1Password Reddit Lyft Yelp Pingdom Digital Ocean Montecito Bank and Trust RapGenius Coinbase Bitpay Product Hunt Udemy Crunchyroll FitBit Hacker News Stack Overflow Zendesk Discord[/QUOTE] Theres not a single site on this list that I would be devastated if someone took my account. Mostly because I dont have an account and the ones I do have, are completely unimportant.

[QUOTE=Code3Response;51867455]Theres not a single site on this list that I would be devastated if someone took my account. Mostly because I dont have an account and the ones I do have, are completely unimportant.[/QUOTE] That's only a few of the [I]over four million[/I] websites potentially affected by this. [url]https://github.com/pirate/sites-using-cloudflare[/url]

strange day when an SHA-1 collision turns out to not be the large security flaw

[QUOTE=BlindSniper17;51867365]All things considered, that's a pretty professional response from them. I'm surprised they did all that in such a short time, so massive kudos to them.[/QUOTE] Its a nice change to see a company enter "tools down somethings fucked" mode and just fix a exploit in mere hours. I suppose in this case they had a decent report from the finder of the error. Which certainly stops them wasting time investigating dead ends.

When did the bug start? CF put an end to it last week but how far back does the vulnerability go?

[QUOTE=Xakoro;51867919]When did the bug start? CF put an end to it last week but how far back does the vulnerability go?[/QUOTE] 22 September 2016

[QUOTE=Xakoro;51867919]When did the bug start? CF put an end to it last week but how far back does the vulnerability go?[/QUOTE] The actually bad bit lasted a few days from the 13th of Feb iirc. One barely used thing had vulnerabilities since September but the bug only affected widely used services from the February.

For ddos protection i see cloudflare sites get taken down by ddos attacks way too often. It's happened to FP even.

For those interested - this is the email I got from them about it: [quote] Dear Cloudflare Customer: Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug: [url]https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/[/url] While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information could still be available through third party caches, such as the Google search cache. Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data. In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact. Fortunately, your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found. To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated. Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out. Matthew Prince Cloudflare, Inc. Co-founder and CEO [/quote]

Fucking hell.

just to be safe, reset the passwords on every fucking website you ever made an account on

Here's a list of 23.5k companies possibly affected - [URL="https://siftery.com/cloudflare"]Cloudflare Customers[/URL] [highlight](User was permabanned for this post ("Spambot (admittedly a rather clever one)" - Sgt Doom))[/highlight]