Lock WARP switch bypass on WARP mobile client using iOS quick action

Vulnerability

The Lock Warp switch feature in Cloudflare Zero Trust is designed to prevent users of enrolled devices from disabling the WARP client. However, due to insufficient policy verification in the WARP iOS client, this feature can be bypassed by using the "Disable WARP" quick action. The vulnerability affects WARP mobile client on iOS versions prior to 6.14 [1].

Exploitation

An attacker with physical access to an enrolled iOS device, or the device user themselves, can bypass the Lock Warp switch policy by simply tapping the "Disable WARP" quick action. No authentication or special network position is required beyond having the device unlocked [1].

Impact

Successful exploitation allows the user to disable the WARP client, effectively bypassing the Zero Trust security policy. This can lead to loss of network filtering, data loss prevention, and other security controls enforced by WARP, potentially exposing the device and organization to threats [1].

Mitigation

The issue was fixed in WARP iOS client version 6.14. Users should update to this version or later. No workaround is available for earlier versions [1].