The Cloudflare Blog

Subscribe to receive notifications of new posts:

Protection against critical Windows vulnerability (CVE-2015-1635)

2015-04-15

Ben Cartwright-Cox

1 min read

A few hours ago, more details surfaced about the MS15-034 vulnerability. Simple PoC code has been widely published that will hang a Windows web server if sent a request with an HTTP Range header containing large byte offsets.

We have rolled out a WAF rule that blocks these requests.

Customers on a paid plan and who have the WAF enabled are automatically protected against this problem. It is highly recommended that you upgrade your IIS and your Windows servers as soon as possible; in the meantime any requests coming into CloudFlare that try and exploit this DoS/RCE will be blocked.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.

Vulnerabilities WAF Rules WAF

Follow on X

Cloudflare|@cloudflare

August 12, 2024 2:00 PM

Advancing Threat Intelligence: JA4 fingerprints and inter-request signals

Explore how Cloudflare's JA4 fingerprinting and inter-request signals provide robust and scalable insights for advanced web security and threat detection. ...

Alex Bocharov,
Adam Martinetti

Bot Management, Threat Intelligence, WAF, Application Services

July 25, 2024 1:00 PM

Making WAF ML models go brrr: saving decades of processing time

In this post, we discuss the performance optimizations we've implemented for our WAF ML product. We'll guide you through specific code examples and benchmark numbers, and we'll share the impressive latency reduction numbers observed after the rollout...

Alex Bocharov

Machine Learning, WAF, Performance, Optimization, Rust, AI WAF, WAF Attack Score

July 11, 2024 5:00 PM

Application Security report: 2024 update

Cloudflare’s updated 2024 view on Internet cyber security trends spanning global traffic insights, bot traffic insights, API traffic insights, and client-side risks...

Application Security, WAF, Bot Management, API

July 09, 2024 12:00 PM

RADIUS/UDP vulnerable to improved MD5 collision attack

The RADIUS protocol is commonly used to control administrative access to networking gear. Despite its importance, RADIUS hasn’t changed much in decades. We discuss an attack on RADIUS as a case study for why it’s important for legacy protocols to keep up with advancements in cryptography...

Vulnerabilities