{"vars":{"id": "108938:4684"}}

BreakingWAF vulnerability: A major cybersecurity flaw affects 40 percent of Fortune 100 companies

The "BreakingWAF" vulnerability affects major WAF providers like Akamai, Cloudflare, and Imperva, leaving 40% of Fortune 100 companies exposed to cyberattacks.
By Gaurav Santosh Dec 9, 2024, 16:54 IST

A newly discovered vulnerability, called "BreakingWAF," within web application firewall (WAF) services has compromised crucial cybersecurity risks for a thousand Fortune 1000 firms and includes some of the giants among them such as JPMorgan Chase, Visa, and Intel. The recently unearthed flaw by a Zafran cybersecurity research expert points out critical misconfigurations in such well-known WAF vendors such as Akamai, Cloudflare, Fastly, and Imperva, hence prone to cyberattacks on the systems.

This vulnerability primarily affects 140,000 domains whose companies are part of the Fortune 1000 companies, since 36,000 backend servers are related to approximately 8,000 domains. The configuration error compromises these companies against serious security risks, including DoS attacks, ransomware attacks, and complete application compromisement. Studies further indicate that around 40% of the Fortune 100 companies and 20% of the Fortune 1000 companies are under this risk.

WAF Misconfiguration: How BreakingWAF Works

The problem is rooted in the fact that modern WAF vendors also function as a type of Content Delivery Networks, improving network reliability and cache. Even though such networks are very important to maximize web traffic, backend servers remain vulnerable to attacks by hackers. The former will take advantage of the said weakness through advanced methods, such as fingerprinting to associate external domains to IP addresses of backend, evading WAF's countermeasures.

The Zafran team showed the potential impact of this flaw by executing a 20-second DDoS attack on a web domain owned by Berkshire Hathaway's subsidiary BHHC. The attack was successful, showing just how vulnerable these major corporations are. Once attackers gain access to backend servers, they can execute DDoS attacks, install ransomware, or exploit application vulnerabilities that WAF solutions usually protect against.

Financial Impact and Rising Threats

The financial implications of BreakingWAF breach can be dreadful. A DDoS of only one hour might send the losses to as much as $1.8 million for a bank institution. Similarly, downtime loss could be as high as $1.9 million for significant businesses like big pizza stores. As the web application flaws are being targeted by hackers often in cyberattacks, corporations have to move at top speed to prevent vulnerabilities of the kind of BreakingWAF from causing harm.

Mitigation Measures for WAF Vulnerability

According to Zafran, the following are mitigation approaches to prevent the BreakingWAF vulnerability:

IP Whitelisting: This denies access to backend servers via only trusted IP addresses associated with CDN providers.
Pre-Shared Secrets: Uses custom HTTP headers with some pre-shared secrets for validation.

Mutual TLS, or mTLS: Allows both server and CDN to validate based on client certifications for increased strength.

Several providers of Web Application Firewalls have, like Akamai and Cloudflare, published resources about these mitigations. Tools have also been made available for this use by Zafran using its Threat Exposure Management product platform.