Bypassing WAF in Azure, Cloudflare Access via H2C smuggling attack

A group of specialists has detailed a method for abusing a well-known “H2C smuggling” technique in order to authenticate and bypass some WAF mechanisms on multiple cloud platforms. Early stages of the attack include WAF routing and omissions in Microsoft Azure, as well as an authentication bypass in Cloudflare Access.

Bishop Fox developers mention that load balancers such as AWS ALB/CLB, NGINX, and Apache Traffic Server block H2C smuggling because the headers required for H2C connection upgrade compliance are not forwarded.

Experts also mention that not all backends comply, which they were able to test with the unsupported Connection:Upgrade variant in which the HTTP2-Settings value is ignored in the Connection header: “By redesigning the h2cSmuggler tool, it was possible to find multiple instances of ready-to-use configured services that allowed H2C updates, allowing evasion of authorization controls”.

This attack variant, introduced in late 2020, abuses front-ends that are not aware of H2C to tunnel to backend systems, allowing threat actors to bypass front-end rewrite rules and exploit internal HTTP headers.

It should be remembered that this is an outdated protocol, which updates a regular transient HTTP connection to a persistent connection using the HTTP2 binary protocol; When an HTTP request issued to a reverse proxy includes a Connection:Upgrade header, this proxy maintains a persistent connection and the scope of continuous communication between the client and the server: “When using H2C smuggling, it is possible to bypass routing rules, which reverse proxy uses when processing route-based requests,” experts mention.

In this regard, Microsoft Azure mentions that Azure application gateways offer the ability to connect the Azure WAF to the gateway: “With the access gateway removing HTTP2 settings from the update header but leaving the others intact, researchers can avoid routing rules.” 

On the other hand, rules applied by Cloudflare Access, an authentication service imposed by the Cloudflare load balancer, can be ignored because the request proxy modifies the update header to exclude HTTP2-Settings, but retains the other headers.

Cloudflare received a report through its rewards program, so the company has already established the necessary mechanisms to prevent the exploitation of this failure. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.