Lock WARP switch bypass using warp-cli 'add-trusted-ssid' command

Vulnerability

The vulnerability resides in the Cloudflare WARP client's warp-cli tool. The add-trusted-ssid command, intended for managing trusted SSIDs, can be abused to disconnect the WARP client and bypass the "Lock WARP switch" feature. This allows a user to disable the WARP client, preventing enforcement of Zero Trust policies. Affected versions include Cloudflare WARP client versions prior to the fix released in October 2022 [1].

Exploitation

An attacker with local access to the endpoint can execute the warp-cli add-trusted-ssid command. No authentication beyond local user privileges is required. The attacker can disconnect the WARP client, effectively disabling the VPN and bypassing the Lock WARP switch. The attack does not require user interaction or network access [1].

Impact

Successful exploitation allows the attacker to bypass Zero Trust policies enforced by Cloudflare Secure Web Gateway. This results in loss of confidentiality and integrity as network traffic is no longer inspected or filtered. The attacker can access resources without policy enforcement, potentially exposing sensitive data or allowing malicious activity [1].

Mitigation

Cloudflare released a fix in October 2022. Users should update the WARP client to the latest version. There is no known workaround; updating is the recommended mitigation. The vulnerability is not listed on CISA's KEV [1].