Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:48 AM
Connect Directly

CSRF Bug Runs Rampant

Vulnerabilty found in Check Point, various firewalls, UTM appliances, routers, storage systems, and other devices managed with Web interfaces

It was only a matter of time before the cross-site request forgery (CSRF) floodgates would open: A security appliance firm has found the wily bug in products from eight security vendors, including Check Point Software's [email protected] Unified Threat Management device, versions 7.0.39X and prior. (See Eight Vulnerabilities You May Have Missed), CSRF Vulnerability: A 'Sleeping Giant' and Killer Combo: XSS + CSRF.)

Check Point, which today issued a patch for the bug within its 7.0.45 release of the product, is the only vendor so far to officially respond to the CSRF discovery found by Calyptix Security, a tiny Charlotte, N.C.-based supplier of all-in-one security appliances for SMBs.

Dan Weber, the Calyptix security engineer who found the CSRF bugs, says the company only got automated responses thanking it from the other security vendors it contacted. Citing his company's responsible disclosure policy, he wouldn't name the other affected vendors, but he did say one is a UTM vendor that says it has sold over one million devices.

CSRF is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones, says Jeremiah Grossman, CTO of WhiteHat Security and a CSRF expert. "Just about every important feature on every Website and Web-interface is likely to be vulnerable," he says.

But little research has been done on CSRF to date, and it's mostly been considered a sleeping giant, overshadowed by the easier to detect and exploit cross-site scripting (XSS) bug, also found in most Websites. CSRF is found in the Web interface of the security device, Calyptix's Weber says.

Weber first found the bug in one of Calyptix's competitor's appliances, and decided to see if it was present in other boxes. "Within an hour, I had an exploit written that if you logged onto that device, it opened up remote management on the machine." Calyptix's appliance did not contain the bug, he says.

All it takes is one malicious site to be open at the same time the Web interface is, and the attacker can gain access to your network, he says. Or if an attacker submits a malicious "form" to your device via JavaScript, you can get owned as well. The attacker then can pose (invisibly) as the user and run commands on the device, creating new VPN tunnels, adding users, changing passwords, and taking over the administration of the box.

Or in the case of a home router still sporting its out-of-the-box default password, for instance, all an attacker would have to do is log onto the device and infect it (and then the user) with CSRF. That would let an attacker do things like conduct nefarious transactions on behalf of the user, for instance.

In Check Point's case, CSRF was possible when a user was logged onto https://my.firewall at the same time he or she was connected to a malicious Website, according to the company's patch release information.

The discovery of CSRF in multiple security products may finally be the wake-up call the industry has needed to realize the prevalence of CSRF as well as the risks. Or it may still fall on deaf ears, some experts argue.

"The security industry is compelled to practice what it preaches," Grossman says, although he's not sure today's revelations will improve things. "We've seen people find vulnerabilities in antivirus products for a while. Network devices with Web interfaces will be no different."

Ben Yarbrough, Calyptix's CEO, says that this bug is likely to be found across a broad spectrum of these security vendors' products, so its scope is likely larger. "We think this has been an overlooked vulnerability the industry needs to focus on," he says.

Calyptix also issued a list of measures to protect against CSRF, including fixing XSS bugs, and adding a session cookie with every Web form, Weber says.

Weber says the company ranked Check Point's CSRF bug as a "medium" threat, but other vendors, low to high, depending on how the product is used.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Calyptix Security Corp.

  • Check Point Software Technologies Ltd. (Nasdaq: CHKP)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Lessons from the NSA: Know Your Assets
    Robert Lemos, Contributing Writer,  12/12/2019
    4 Tips to Run Fast in the Face of Digital Transformation
    Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-14
    There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
    PUBLISHED: 2019-12-14
    Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
    PUBLISHED: 2019-12-13
    There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
    PUBLISHED: 2019-12-13
    Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
    PUBLISHED: 2019-12-13
    Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...