Lock WARP switch feature bypass on WARP mobile client for iOS

Vulnerability

The Cloudflare WARP iOS mobile client (before version 6.14) contains a logic flaw in the Lock WARP switch feature, as described in [1]. By enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" toggles in the application settings, the WARP client disconnects from the VPN, effectively bypassing the intended restriction that should lock the WARP switch to prevent users from disabling it. The vulnerability is specific to iOS versions prior to 6.14 and requires local access to the device settings.

Exploitation

An attacker with physical or remote access to the iOS device's settings (e.g., a user under Zero Trust policies) can exploit this by navigating to the WARP app settings and enabling both the "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at the same time. This sequence causes the WARP client to disconnect from the VPN, bypassing the Lock WARP switch enforcement. No additional authentication or network position is required beyond normal device access [1].

Impact

Successful exploitation allows the user to disable the WARP VPN connection, thereby bypassing security policies and restrictions enforced by Cloudflare Zero Trust. This results in a loss of network protection and policy enforcement, potentially leading to unauthorized access or data exfiltration from the device [1].

Mitigation

Cloudflare released a fix in version 6.14 of the iOS mobile client [1]. Users should update to version 6.14 or later. No workarounds are mentioned in the advisory. Ensure automatic updates are enabled or manually check for the latest version from the App Store.