It was only a matter of time before the cross-site request forgery (CSRF) floodgates would open: A security appliance firm has found the wily bug in products from eight security vendors, including Check Point Software's Safe@Office Unified Threat Management device, versions 7.0.39X and prior. (See Eight Vulnerabilities You May Have Missed), CSRF Vulnerability: A 'Sleeping Giant' and Killer Combo: XSS + CSRF.)

Check Point, which today issued a patch for the bug within its 7.0.45 release of the product, is the only vendor so far to officially respond to the CSRF discovery found by Calyptix Security, a tiny Charlotte, N.C.-based supplier of all-in-one security appliances for SMBs.

Dan Weber, the Calyptix security engineer who found the CSRF bugs, says the company only got automated responses thanking it from the other security vendors it contacted. Citing his company's responsible disclosure policy, he wouldn't name the other affected vendors, but he did say one is a UTM vendor that says it has sold over one million devices.

CSRF is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones, says Jeremiah Grossman, CTO of WhiteHat Security and a CSRF expert. "Just about every important feature on every Website and Web-interface is likely to be vulnerable," he says.

But little research has been done on CSRF to date, and it's mostly been considered a sleeping giant, overshadowed by the easier to detect and exploit cross-site scripting (XSS) bug, also found in most Websites. CSRF is found in the Web interface of the security device, Calyptix's Weber says.

Weber first found the bug in one of Calyptix's competitor's appliances, and decided to see if it was present in other boxes. "Within an hour, I had an exploit written that if you logged onto that device, it opened up remote management on the machine." Calyptix's appliance did not contain the bug, he says.

All it takes is one malicious site to be open at the same time the Web interface is, and the attacker can gain access to your network, he says. Or if an attacker submits a malicious "form" to your device via JavaScript, you can get owned as well. The attacker then can pose (invisibly) as the user and run commands on the device, creating new VPN tunnels, adding users, changing passwords, and taking over the administration of the box.

Or in the case of a home router still sporting its out-of-the-box default password, for instance, all an attacker would have to do is log onto the device and infect it (and then the user) with CSRF. That would let an attacker do things like conduct nefarious transactions on behalf of the user, for instance.

In Check Point's case, CSRF was possible when a user was logged onto https://my.firewall at the same time he or she was connected to a malicious Website, according to the company's patch release information.

The discovery of CSRF in multiple security products may finally be the wake-up call the industry has needed to realize the prevalence of CSRF as well as the risks. Or it may still fall on deaf ears, some experts argue.

"The security industry is compelled to practice what it preaches," Grossman says, although he's not sure today's revelations will improve things. "We've seen people find vulnerabilities in antivirus products for a while. Network devices with Web interfaces will be no different."

Ben Yarbrough, Calyptix's CEO, says that this bug is likely to be found across a broad spectrum of these security vendors' products, so its scope is likely larger. "We think this has been an overlooked vulnerability the industry needs to focus on," he says.

Calyptix also issued a list of measures to protect against CSRF, including fixing XSS bugs, and adding a session cookie with every Web form, Weber says.

Weber says the company ranked Check Point's CSRF bug as a "medium" threat, but other vendors, low to high, depending on how the product is used.

— Kelly Jackson Higgins, Senior Editor, Dark Reading