Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:48 AM
Connect Directly

CSRF Bug Runs Rampant

Vulnerabilty found in Check Point, various firewalls, UTM appliances, routers, storage systems, and other devices managed with Web interfaces

It was only a matter of time before the cross-site request forgery (CSRF) floodgates would open: A security appliance firm has found the wily bug in products from eight security vendors, including Check Point Software's [email protected] Unified Threat Management device, versions 7.0.39X and prior. (See Eight Vulnerabilities You May Have Missed), CSRF Vulnerability: A 'Sleeping Giant' and Killer Combo: XSS + CSRF.)

Check Point, which today issued a patch for the bug within its 7.0.45 release of the product, is the only vendor so far to officially respond to the CSRF discovery found by Calyptix Security, a tiny Charlotte, N.C.-based supplier of all-in-one security appliances for SMBs.

Dan Weber, the Calyptix security engineer who found the CSRF bugs, says the company only got automated responses thanking it from the other security vendors it contacted. Citing his company's responsible disclosure policy, he wouldn't name the other affected vendors, but he did say one is a UTM vendor that says it has sold over one million devices.

CSRF is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones, says Jeremiah Grossman, CTO of WhiteHat Security and a CSRF expert. "Just about every important feature on every Website and Web-interface is likely to be vulnerable," he says.

But little research has been done on CSRF to date, and it's mostly been considered a sleeping giant, overshadowed by the easier to detect and exploit cross-site scripting (XSS) bug, also found in most Websites. CSRF is found in the Web interface of the security device, Calyptix's Weber says.

Weber first found the bug in one of Calyptix's competitor's appliances, and decided to see if it was present in other boxes. "Within an hour, I had an exploit written that if you logged onto that device, it opened up remote management on the machine." Calyptix's appliance did not contain the bug, he says.

All it takes is one malicious site to be open at the same time the Web interface is, and the attacker can gain access to your network, he says. Or if an attacker submits a malicious "form" to your device via JavaScript, you can get owned as well. The attacker then can pose (invisibly) as the user and run commands on the device, creating new VPN tunnels, adding users, changing passwords, and taking over the administration of the box.

Or in the case of a home router still sporting its out-of-the-box default password, for instance, all an attacker would have to do is log onto the device and infect it (and then the user) with CSRF. That would let an attacker do things like conduct nefarious transactions on behalf of the user, for instance.

In Check Point's case, CSRF was possible when a user was logged onto https://my.firewall at the same time he or she was connected to a malicious Website, according to the company's patch release information.

The discovery of CSRF in multiple security products may finally be the wake-up call the industry has needed to realize the prevalence of CSRF as well as the risks. Or it may still fall on deaf ears, some experts argue.

"The security industry is compelled to practice what it preaches," Grossman says, although he's not sure today's revelations will improve things. "We've seen people find vulnerabilities in antivirus products for a while. Network devices with Web interfaces will be no different."

Ben Yarbrough, Calyptix's CEO, says that this bug is likely to be found across a broad spectrum of these security vendors' products, so its scope is likely larger. "We think this has been an overlooked vulnerability the industry needs to focus on," he says.

Calyptix also issued a list of measures to protect against CSRF, including fixing XSS bugs, and adding a session cookie with every Web form, Weber says.

Weber says the company ranked Check Point's CSRF bug as a "medium" threat, but other vendors, low to high, depending on how the product is used.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Calyptix Security Corp.

  • Check Point Software Technologies Ltd. (Nasdaq: CHKP)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Cybersecurity Industry: It's Time to Stop the Victim Blame Game
    Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
    Google Adds More Security Features Via Chronicle Division
    Robert Lemos, Contributing Writer,  2/25/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-27
    In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
    PUBLISHED: 2020-02-27
    openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
    PUBLISHED: 2020-02-27
    openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
    PUBLISHED: 2020-02-27
    openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
    PUBLISHED: 2020-02-27
    Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.