A recently discovered security vulnerability dubbed “BreakingWAF” in the configuration of web application firewall (WAF) services has left numerous Fortune 1000 companies vulnerable to cyberattacks, according to Zafran, a leading cybersecurity research team.
The flaw affects some of the most popular WAF providers include Akamai, Cloudflare, Fastly, and Imperva. The flaw makes denial-of-service (DoS) attacks, ransomware, and even full application compromise very likely.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
How Does BreakingWAF Affected
This misconfiguration, uncovered by Zafran’s researchers, impacts over 140,000 domains belonging to Fortune 1000 companies. Among these, 36,000 backend servers had 8,000 domains linked to them, leaving them open to potential attackers and susceptible to DDoS attacks.
Nearly 40% of Fortune 100 and 20% of Fortune 1000 companies are affected, highlighting widespread misconfiguration.
Some of the world’s largest corporations, including JPMorgan Chase, Visa, Intel, Berkshire Hathaway, and UnitedHealth, were found to be affected.
For instance, Zafran’s disclosure quickly resolved the issue that directly affected JPMorgan Chase’s main website, chase.com.
Zafran’s team demonstrated the severity of this vulnerability by executing a 20-second denial-of-service attack on a web domain owned by Berkshire Hathaway subsidiary BHHC, highlighting the potential for real-world consequences.
According to the Zafran technical analysis, The flaw lies in the dual functionality of modern WAF providers, which also operate as content delivery networks (CDNs) to enhance network reliability and caching.
When backend servers don’t properly check traffic, this architectural design opens up a major hole that lets attackers get around WAF protections and go straight for backend infrastructure.
Attackers can exploit this flaw by mapping external domains to backend IP addresses, a process they intend to keep secret but can reverse-engineer using advanced fingerprinting techniques.
Attackers can launch distributed denial-of-service (DDoS) attacks, install ransomware, or exploit application vulnerabilities that the WAF would typically block once they gain access to the backend servers.
The discovery highlights a systemic weakness in the design and implementation of WAF/CDN solutions.
An effective WAF is often the primary or sole layer of defense for public-facing web applications, making this misconfiguration particularly alarming.
Cyber incidents stemming from WAF bypasses have already resulted in catastrophic consequences, as seen in the Capital One data breach, one of the largest in history.
Recent trends show attackers increasingly targeting web applications with poor configurations. For instance, we have observed the Advanced Persistent Threat (APT) group APT41 exploiting similar vulnerabilities to exfiltrate sensitive data. Additionally, cloud ransomware attacks on exposed web applications are becoming more common.
The financial impact of such attacks is staggering. For example, a DDoS attack lasting an hour could cost a financial organization approximately $1.8 million, while a similar duration of downtime for a major pizza chain could result in losses of up to $1.9 million.
Mitigation Measures
To safeguard against the risks associated with this WAF misconfiguration, Zafran outlined several mitigation strategies:
- IP Whitelisting (Origin IP Access Control Lists): Restrict access to backend servers to only the IP addresses of CDN providers. Although simple, this method is not foolproof.
- Pre-Shared Secrets in Custom Headers: Use custom HTTP headers with pre-shared secrets to authenticate traffic. While effective in the short term, this requires periodic secret rotation.
- Mutual TLS (mTLS): Employ client certification to validate both the server and CDN. This is the most secure approach, but it requires specialized tooling that may not be supported by all popular load balancers.
WAF providers like Akamai and Cloudflare offer detailed guides for implementing these mitigation measures. Additionally, Zafran provides tools that allow organizations to assess and address their exposure to this vulnerability through its Threat Exposure Management platform.
Zafran initiated a 90-day coordinated disclosure process to notify impacted companies, beginning on August 23, 2024. The team reported the vulnerability to Visa, Intel, JPMorgan Chase, Berkshire Hathaway’s BHHC, and UnitedHealth. Notably, JPMorgan Chase and UnitedHealth have already resolved the issue, preventing potential exploitation.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration