The Official Wireshark Blog

The Cloudflare Incident And Its Impact On Wireshark.org

· 768 words · 4 minutes to read
Categories: Announcement Security

Cloudflare recently announced a security incident that potentially impacts anyone who visited various wireshark.org and winpcap.org sites for the past six months.

What happened? đź”—

Cloudflare is a popular service that provides content delivery, DDoS protection and DNS services for web sites.

A software bug Cloudflare’s servers leaked potentially sensitive information. Some of that information ended up in caches all over the Internet. At Google, Microsoft, your ISP, your company’s or university’s proxy servers, and elsewhere. Due to the randomness and distributed nature of the bug, it’s difficult to know what the full impact is. Cloudflare provides the following estimate:

“The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).”

The bug was introduced on September 22, 2016 and fixed on February 18th, 2017.

The Google Project Zero bug describing the issue in detail can be found at https://bugs.chromium.org/p/project-zero/issues/detail?id=1139

Cloudflare’s incident report can be found at https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

The initial Hacker News discussion can be found at https://news.ycombinator.com/item?id=13718752

Was Wireshark affected? đź”—

The following wireshark.org and winpcap.org sites were behind Cloudflare proxies during the period in question:

  • ask.wirehsark.org
  • blog.wireshark.org
  • bugs.wireshark.org
  • sharkfest.wireshark.org
  • sharkfesteurope.wireshark.org
  • wiki.wireshark.org
  • www.wireshark.org
  • www.winpcap.org

Wireshark’s download servers (*.dl.wireshark.org), buildbot.wireshark.org and code.wireshark.org were not behind Cloudflare.

I browsed to a one of the sites listed above between September 22nd, 2016 and February 18th, 2017. Am I affected? đź”—

The chances are slim, but those chances are not zero.

Most of the content that we serve is “static” and “public.” That is, it’s the same for everyone and doesn’t contain any sensitive information. The risk exposed by Cloudflare is from dynamic content that contains sensitive information such as the login page on ask, bugs, wiki, etc. Our web sites get frequent requests for static content, but dynamic requests are relatively infrequent.

In a world where everyone has infinite free time I would have no qualms about recommending that everyone with a wireshark.org account change his or her passwords. However, this is the real world and your time is valuable. If you logged in to one of our sites and used a unique password it might not be worth your time to change it. On the other hand, if your professional reputation depends on your ask.wireshark.org score you probably should. If you have any sort of administrative access you definitely should. Most of our users fall into the first category.

If you’re wondering why it looks like I’m downplaying the importance of changing your wireshark.org passwords, see the next question.

I used a web browser, smart phone, or an internet-connected wearable doohickey between September 22nd, 2016 and February 18th, 2017. Am I affected? đź”—

I honestly don’t know. The chances are almost certainly not zero.

Cloudflare is a very popular service. At the time of this writing an unofficial list of affected sites stands at more than four million entries and counting. It includes many of the world’s most popular web sites.

If you’re going to spend time changing passwords, doing so for sites that deal with finance, email, DNA testing, dating, and other parts of your personal life probably ranks higher than that for, say, the Wireshark wiki.

Isn’t a vague answer like “the chances are slim but not zero” a frustratingly craptastic one compared to a definitive “yes” or “no”? 🔗

Yes, but it’s also the honest and correct one.

Update: March 2, 2017 đź”—

Yesterday Cloudflare posted an update on the issue at https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/. In it they posted the following leak estimates:

 Requests per Month       Anticipated Leaks
 ------------------       -----------------
        200B – 300B         22,356 – 33,534
        100B – 200B         11,427 – 22,356
         50B – 100B          5,962 – 11,427
          10B – 50B           1,118 – 5,926
           1B – 10B             112 – 1,118
          500M – 1B                56 – 112
        250M – 500M                 25 – 56
        100M – 250M                 11 – 25
         50M – 100M                  6 – 11
          10M – 50M                   1 – 6
              < 10M                     < 1

The affected wireshark.org web sites get just over 10M requests per month combined. Private traffic is substantially less than that.

Comments đź”—

Comment by Graham Bloice on 2017-02-27 04:12:48 +0000 đź”—

And the implications if using a remote authentication service rather than a password held on a Wireshark service, e.g. OAuth?

Comment by Greg Gill on 2017-03-04 13:10:47 +0000 đź”—

Not a good news at all.
“I browsed to a one of the sites listed above between September 22nd, 2016 and February 18th, 2017. Am I affected? The chances are slim, but those chances are not zero”

Comment by Dustin DeTorres on 2017-03-23 04:48:57 +0000 đź”—

Is there anything a user should do?