Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:48 AM
Connect Directly

CSRF Bug Runs Rampant

Vulnerabilty found in Check Point, various firewalls, UTM appliances, routers, storage systems, and other devices managed with Web interfaces

It was only a matter of time before the cross-site request forgery (CSRF) floodgates would open: A security appliance firm has found the wily bug in products from eight security vendors, including Check Point Software's [email protected] Unified Threat Management device, versions 7.0.39X and prior. (See Eight Vulnerabilities You May Have Missed), CSRF Vulnerability: A 'Sleeping Giant' and Killer Combo: XSS + CSRF.)

Check Point, which today issued a patch for the bug within its 7.0.45 release of the product, is the only vendor so far to officially respond to the CSRF discovery found by Calyptix Security, a tiny Charlotte, N.C.-based supplier of all-in-one security appliances for SMBs.

Dan Weber, the Calyptix security engineer who found the CSRF bugs, says the company only got automated responses thanking it from the other security vendors it contacted. Citing his company's responsible disclosure policy, he wouldn't name the other affected vendors, but he did say one is a UTM vendor that says it has sold over one million devices.

CSRF is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones, says Jeremiah Grossman, CTO of WhiteHat Security and a CSRF expert. "Just about every important feature on every Website and Web-interface is likely to be vulnerable," he says.

But little research has been done on CSRF to date, and it's mostly been considered a sleeping giant, overshadowed by the easier to detect and exploit cross-site scripting (XSS) bug, also found in most Websites. CSRF is found in the Web interface of the security device, Calyptix's Weber says.

Weber first found the bug in one of Calyptix's competitor's appliances, and decided to see if it was present in other boxes. "Within an hour, I had an exploit written that if you logged onto that device, it opened up remote management on the machine." Calyptix's appliance did not contain the bug, he says.

All it takes is one malicious site to be open at the same time the Web interface is, and the attacker can gain access to your network, he says. Or if an attacker submits a malicious "form" to your device via JavaScript, you can get owned as well. The attacker then can pose (invisibly) as the user and run commands on the device, creating new VPN tunnels, adding users, changing passwords, and taking over the administration of the box.

Or in the case of a home router still sporting its out-of-the-box default password, for instance, all an attacker would have to do is log onto the device and infect it (and then the user) with CSRF. That would let an attacker do things like conduct nefarious transactions on behalf of the user, for instance.

In Check Point's case, CSRF was possible when a user was logged onto https://my.firewall at the same time he or she was connected to a malicious Website, according to the company's patch release information.

The discovery of CSRF in multiple security products may finally be the wake-up call the industry has needed to realize the prevalence of CSRF as well as the risks. Or it may still fall on deaf ears, some experts argue.

"The security industry is compelled to practice what it preaches," Grossman says, although he's not sure today's revelations will improve things. "We've seen people find vulnerabilities in antivirus products for a while. Network devices with Web interfaces will be no different."

Ben Yarbrough, Calyptix's CEO, says that this bug is likely to be found across a broad spectrum of these security vendors' products, so its scope is likely larger. "We think this has been an overlooked vulnerability the industry needs to focus on," he says.

Calyptix also issued a list of measures to protect against CSRF, including fixing XSS bugs, and adding a session cookie with every Web form, Weber says.

Weber says the company ranked Check Point's CSRF bug as a "medium" threat, but other vendors, low to high, depending on how the product is used.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Calyptix Security Corp.

  • Check Point Software Technologies Ltd. (Nasdaq: CHKP)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    NSA Appoints Rob Joyce as Cyber Director
    Dark Reading Staff 1/15/2021
    Vulnerability Management Has a Data Problem
    Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This is not what I meant by "I would like to share some desk space"
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-01-21
    Possible memory out of bound issue during music playback when an incorrect bit stream content is copied into array without checking the length of array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobi...
    PUBLISHED: 2021-01-21
    Local privilege escalation in admin services in Windows environment can occur due to an arbitrary read issue in XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    PUBLISHED: 2021-01-21
    Possible out of bound memory access in audio due to integer underflow while processing modified contents in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon We...
    PUBLISHED: 2021-01-21
    Memory corruption while calculating L2CAP packet length in reassembly logic when remote sends more data than expected in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Weara...
    PUBLISHED: 2021-01-21
    Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon ...