Discover how widespread WAF misconfigurations create vulnerabilities in Fortune 100 companies, presenting a significant opportunity to showcase CloudGuard's superior security solutions.

Risks:

Misconfiguration, Web App/Website Vulnerability, Third-Party Vendor/SaaS

Keywords:

BreakingWAF, Akamai, Cloudflare, Imperva, Fortune 100, WAF vulnerability, DoS attack, CDN security

CVE:

N/A

Affected:

Akamai, Cloudflare, Fastly, Imperva, JPMorgan Chase, Visa, Intel, Berkshire Hathaway, UnitedHealth

 

WAF Vulnerability Impacting Major Companies

A newly identified vulnerability known as "BreakingWAF" has been discovered in the configurations of web application firewall (WAF) services. This vulnerability affects major providers such as Akamai, Cloudflare, Fastly, and Imperva, putting a significant portion of Fortune 100 companies at risk.

Scope of the Vulnerability

The flaw impacts over 140,000 domains tied to Fortune 1000 companies, with approximately 36,000 backend servers connected to 8,000 of these domains. This misconfiguration leaves these servers open to potential attacks, including denial-of-service (DoS) and ransomware threats. Notably, around 40% of Fortune 100 and 20% of Fortune 1000 companies are affected, including prominent names like JPMorgan Chase, Visa, Intel, Berkshire Hathaway, and UnitedHealth.

How the Vulnerability Works

The vulnerability arises from the dual role of modern WAF providers, which also serve as content delivery networks (CDNs) to boost network performance. This architecture can inadvertently allow attackers to bypass WAF protections and access backend infrastructure directly if backend servers do not adequately verify traffic.

Attackers can exploit this flaw by mapping external domains to backend IP addresses, using sophisticated fingerprinting techniques to reverse-engineer domain mappings. Once they gain access, they can launch distributed denial-of-service (DDoS) attacks, deploy ransomware, or exploit application vulnerabilities that a WAF would typically intercept.

Real-World Implications

The potential consequences of this vulnerability are severe. For example, Zafran's research team demonstrated a brief DoS attack on a Berkshire Hathaway subsidiary, illustrating the tangible risks. WAFs often serve as the main defense for public-facing web applications, so this misconfiguration poses a significant threat.

Historical incidents, like the Capital One data breach, underscore the catastrophic outcomes of WAF bypasses. Attackers increasingly target poorly configured web applications, as evidenced by the Advanced Persistent Threat (APT) group APT41's activities. The financial repercussions of such attacks are substantial, with potential losses reaching millions of dollars from just an hour of downtime.

Mitigation Strategies

To address this WAF misconfiguration, several mitigation measures are recommended:

• IP Whitelisting: Limit backend server access to CDN provider IP addresses. This method offers basic protection but is not entirely foolproof.
• Pre-Shared Secrets in Custom Headers: Implement custom HTTP headers with pre-shared secrets to authenticate traffic. This is effective but requires regular secret updates.
• Mutual TLS (mTLS): Use client certification to authenticate both server and CDN, providing robust security but requiring specialized support.

WAF providers like Akamai and Cloudflare offer guides for implementing these measures. Zafran also provides tools through its Threat Exposure Management platform to help organizations evaluate and mitigate their exposure to this vulnerability. A 90-day coordinated disclosure process began on August 23, 2024, to alert affected companies, with some, such as JPMorgan Chase and UnitedHealth, already resolving the issue.

 

Read More

https://cybersecuritynews.com/waf-vulnerability-in-akamai-cloudflare-and-imperva/#google_vignette