CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3747 – Insufficient Validation on Override Codes for Always-Enabled WARP Mode
https://notcve.org/view.php?id=CVE-2023-3747
Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running. Los Administradores de Zero Trust tienen la capacidad de impedir que los usuarios finales deshabiliten WARP en sus dispositivos. Los administradores también pueden crear códigos de anulación para permitir que un dispositivo se desconecte temporalmente de WARP, sin embargo, debido a la falta de validación del lado del servidor, un atacante con acceso local al dispositivo podría extender el tiempo máximo permitido de desconexión del cliente WARP otorgado por un código de anulación cambiando la fecha y hora en el dispositivo local donde se ejecuta warp. • https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#retrieve-the-override-code https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone • CWE-565: Reliance on Cookies without Validation and Integrity Checking CWE-602: Client-Side Enforcement of Server-Side Security •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2754 – Plaintext transmission of DNS requests in Windows 1.1.1.1 WARP client
https://notcve.org/view.php?id=CVE-2023-2754
The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses but Unique Local Addresses, which under certain conditions could point towards unknown devices in the same local network which enables an Attacker to view DNS queries made by the device. • https://developers.cloudflare.com/warp-client https://github.com/cloudflare/advisories/security/advisories/GHSA-mv6g-7577-vq4w https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1862 – Remote access to warp-svc.exe in Cloudflare WARP
https://notcve.org/view.php?id=CVE-2023-1862
Cloudflare WARP client for Windows (up to v2023.3.381.0) allowed a malicious actor to remotely access the warp-svc.exe binary due to an insufficient access control policy on an IPC Named Pipe. This would have enabled an attacker to trigger WARP connect and disconnect commands, as well as obtaining network diagnostics and application configuration from the target's device. It is important to note that in order to exploit this, a set of requirements would need to be met, such as the target's device must've been reachable on port 445, allowed authentication with NULL sessions or otherwise having knowledge of the target's credentials. • https://developers.cloudflare.com/warp-client/get-started/windows https://github.com/cloudflare/advisories/security/advisories/GHSA-q55r-53c8-5642 https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0652 – Local Privilege Escalation in Cloudflare WARP Installer (Windows)
https://notcve.org/view.php?id=CVE-2023-0652
Due to a hardlink created in the ProgramData folder during the repair process of the software, the installer (MSI) of WARP Client for Windows (<= 2022.12.582.0) allowed a malicious attacker to forge the destination of the hardlink and escalate privileges, overwriting SYSTEM protected files. As Cloudflare WARP client for Windows (up to version 2022.5.309.0) allowed creation of mount points from its ProgramData folder, during installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files. • https://developers.cloudflare.com/warp-client/get-started/windows https://github.com/cloudflare/advisories/security/advisories/GHSA-xmhj-9p83-xvw9 https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1412 – Local Privilege Escalation Vulnerability in WARP's MSI Installer
https://notcve.org/view.php?id=CVE-2023-1412
An unprivileged (non-admin) user can exploit an Improper Access Control vulnerability in the Cloudflare WARP Client for Windows (<= 2022.12.582.0) to perform privileged operations with SYSTEM context by working with a combination of opportunistic locks (oplock) and symbolic links (which can both be created by an unprivileged user). After installing the Cloudflare WARP Client (admin privileges required), an MSI-Installer is placed under C:\Windows\Installer. The vulnerability lies in the repair function of this MSI. ImpactAn unprivileged (non-admin) user can exploit this vulnerability to perform privileged operations with SYSTEM context, including deleting arbitrary files and reading arbitrary file content. This can lead to a variety of attacks, including the manipulation of system files and privilege escalation. PatchesA new installer with a fix that addresses this vulnerability was released in version 2023.3.381.0. While the WARP Client itself is not vulnerable (only the installer), users are encouraged to upgrade to the latest version and delete any older installers present in their systems. • https://developers.cloudflare.com/warp-client/get-started/windows https://github.com/cloudflare/advisories/security/advisories/GHSA-hgxh-48m3-3gq7 https://install.appcenter.ms/orgs/cloudflare/apps/1.1.1.1-windows-1/distribution_groups/release • CWE-59: Improper Link Resolution Before File Access ('Link Following') •