Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:48 AM
Connect Directly

CSRF Bug Runs Rampant

Vulnerabilty found in Check Point, various firewalls, UTM appliances, routers, storage systems, and other devices managed with Web interfaces

It was only a matter of time before the cross-site request forgery (CSRF) floodgates would open: A security appliance firm has found the wily bug in products from eight security vendors, including Check Point Software's [email protected] Unified Threat Management device, versions 7.0.39X and prior. (See Eight Vulnerabilities You May Have Missed), CSRF Vulnerability: A 'Sleeping Giant' and Killer Combo: XSS + CSRF.)

Check Point, which today issued a patch for the bug within its 7.0.45 release of the product, is the only vendor so far to officially respond to the CSRF discovery found by Calyptix Security, a tiny Charlotte, N.C.-based supplier of all-in-one security appliances for SMBs.

Dan Weber, the Calyptix security engineer who found the CSRF bugs, says the company only got automated responses thanking it from the other security vendors it contacted. Citing his company's responsible disclosure policy, he wouldn't name the other affected vendors, but he did say one is a UTM vendor that says it has sold over one million devices.

CSRF is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones, says Jeremiah Grossman, CTO of WhiteHat Security and a CSRF expert. "Just about every important feature on every Website and Web-interface is likely to be vulnerable," he says.

But little research has been done on CSRF to date, and it's mostly been considered a sleeping giant, overshadowed by the easier to detect and exploit cross-site scripting (XSS) bug, also found in most Websites. CSRF is found in the Web interface of the security device, Calyptix's Weber says.

Weber first found the bug in one of Calyptix's competitor's appliances, and decided to see if it was present in other boxes. "Within an hour, I had an exploit written that if you logged onto that device, it opened up remote management on the machine." Calyptix's appliance did not contain the bug, he says.

All it takes is one malicious site to be open at the same time the Web interface is, and the attacker can gain access to your network, he says. Or if an attacker submits a malicious "form" to your device via JavaScript, you can get owned as well. The attacker then can pose (invisibly) as the user and run commands on the device, creating new VPN tunnels, adding users, changing passwords, and taking over the administration of the box.

Or in the case of a home router still sporting its out-of-the-box default password, for instance, all an attacker would have to do is log onto the device and infect it (and then the user) with CSRF. That would let an attacker do things like conduct nefarious transactions on behalf of the user, for instance.

In Check Point's case, CSRF was possible when a user was logged onto https://my.firewall at the same time he or she was connected to a malicious Website, according to the company's patch release information.

The discovery of CSRF in multiple security products may finally be the wake-up call the industry has needed to realize the prevalence of CSRF as well as the risks. Or it may still fall on deaf ears, some experts argue.

"The security industry is compelled to practice what it preaches," Grossman says, although he's not sure today's revelations will improve things. "We've seen people find vulnerabilities in antivirus products for a while. Network devices with Web interfaces will be no different."

Ben Yarbrough, Calyptix's CEO, says that this bug is likely to be found across a broad spectrum of these security vendors' products, so its scope is likely larger. "We think this has been an overlooked vulnerability the industry needs to focus on," he says.

Calyptix also issued a list of measures to protect against CSRF, including fixing XSS bugs, and adding a session cookie with every Web form, Weber says.

Weber says the company ranked Check Point's CSRF bug as a "medium" threat, but other vendors, low to high, depending on how the product is used.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Calyptix Security Corp.

  • Check Point Software Technologies Ltd. (Nasdaq: CHKP)

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    RDP Bug Takes New Approach to Host Compromise
    Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
    The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
    Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-07-23
    ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
    PUBLISHED: 2019-07-23
    Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
    PUBLISHED: 2019-07-23
    Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
    PUBLISHED: 2019-07-23
    GNUBOARD5 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
    PUBLISHED: 2019-07-23
    GNUBOARD5 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.