Yesterday, Cloudflare posted an incident report on their blog about an issue discovered in their HTML parser. A very nice report which is worth a read! As usual, in our cyber world, this vulnerability quickly received a nice name and logo: “Cloudbleed“. I’ll not explain in details the vulnerability here, there are already multiple reviews of this incident.
According to Cloudflare, the impact is the following:
This included HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens).
A lot of interesting data could be disclosed so my biggest concern was: “Am I affected by Cloudbleed?” Cloudflare being a key player on the Internet, chances to visit websites protected by their services are very high. How to make an inventory of those websites? The idea is to use Splunk to achieve this: If your DNS resolvers logs are indexed by Splunk, you can use a lookup table to search for IP addresses belonging to Cloudflare.
Cloudflare is transparent and publicly announces the IP subnets they use (both IPv4 & IPv6). By default, Splunk does not perform lookups in CIDR directly. I created the complete list of IP addresses with a few lines of Python:
#!/usr/bin/python # IP Sources: # https://www.cloudflare.com/ips/ from netaddr import IPNetwork cidrs = [ '126.96.36.199/22', '188.8.131.52/22', '184.108.40.206/22', '220.127.116.11/12', '18.104.22.168/18', '22.214.171.124/22', '126.96.36.199/18', '188.8.131.52/15', '184.108.40.206/13', '220.127.116.11/20', '18.104.22.168/20', '22.214.171.124/20', '126.96.36.199/22', '188.8.131.52/17', '184.108.40.206/21' ] for cidr in cidrs: for ip in IPNetwork(cidr): print '%s' % ip
The generated file can now be imported as a lookup table in Splunk. My DNS requests are logged through a Bro instance. Using the following query, I extracted URLs that are resolved with a Cloudflare IP address:
sourcetype=bro_dns rcode=A NOT qclass = "*.cloudflare.com" | lookup cloudflare.csv TTLs OUTPUT TTLs as ip | search ip="*" | dedup qclass | table qclass
(The query is very easy to adapt to your own environment.)
For the last 6 months, I got a list of 158 websites. The last step is manual: review the URLs and if you’ve accounts or posted sensitive information with them, it’s time to change your passwords / API keys!