Lock WARP switch bypass by removing VPN profile on iOS mobile client

Vulnerability

A vulnerability in the Cloudflare WARP mobile client for iOS (versions prior to 6.15) allowed a user to delete the VPN profile even when the "Lock WARP switch" feature was enabled in the Zero Trust Platform. The lock feature is designed to prevent enrolled devices from disabling WARP, but the profile deletion mechanism was not properly gated by this policy. The issue is described in reference [1].

Exploitation

An attacker with local access to an enrolled iOS device could navigate to the VPN profile settings and remove the WARP configuration. No additional authentication or privileges beyond normal user access to the device's settings are required, as the WARP client did not enforce the lock on profile deletion. The steps involve going to iOS Settings > General > VPN & Device Management and deleting the WARP profile [1].

Impact

Successful exploitation bypasses the WARP connection policy enforced by the Zero Trust platform, allowing the device to disable traffic routing through Cloudflare's network. This breaks the Zero Trust security posture, potentially exposing the device and network to threats that would otherwise be mitigated by the enforced security controls [1].

Mitigation

The issue was fixed in WARP iOS mobile client version 6.15, released on September 27, 2022. Users should update to this version or later via the Apple App Store. No workaround is available for affected versions, and the update is the only mitigation [1].