Security Appliance Vendors Blasé About CSRF Flaws

News Analysis: Researchers say security appliance makers are being lax about fixing an arcane vulnerability.

Security appliance makers are shrugging off CSRF (cross-site request forgery) vulnerabilities in their products—products that sit at the crossroads of enterprise protection. The vulnerable appliances, unified threat management products, "certainly are an important part of an enterprises security," said Billy Hoffman, lead researcher for SPI Dynamics SPI Labs, in Atlanta. "Im kind of surprised [that appliance vendors have been dismissive of the CSRF flaws]—Id be surprised if there were not people inside the [organizations] that are saying, We need to fix this." On July 26, security firm Calyptix announced the CSRF flaws, which the company said it had found on eight vendors UTM appliances. Check Point, one of the eight vendors, on the same day announced an update to multiple versions of its Safe@Office UTM device that had been vulnerable to the problem.
Of the seven other UTM vendors, reaction has been close to nil. Only one told eWEEK that the vulnerability had been addressed, and another told Calyptix that the vulnerability is being investigated. While their products remain vulnerable—or, at the least, until the vendors respond to eWEEKs queries as to whether theyre investigating and can confirm or deny their products vulnerability—Calyptix and eWEEK are refraining from naming the vendors, in the spirit of responsible disclosure. One vendor whose spokesman said the vulnerability has been fixed, eSoft, was irked enough by Calyptixs claims to file a complaint against the company with CERT. "Not sure what [Calyptix is] up to, but they definitely did not do their homework," said the spokesman, in an e-mail exchange. "We complained to CERT, because [Calyptix] cried wolf to CERT as well." The spokesman said that eSoft has already fixed the CSRF vulnerability, although he told eWEEK he couldnt recall when. Click here to read more about how the cross-site request forgery vulnerability was uncovered in multiple security appliances. According to the spokesman, eSofts engineering team tracked down Calyptixs version of the companys InstaGate security appliance and discovered it was a custom build for a former customer. Calyptix had, in fact, bought it off eBay, according to Calyptix CEO Been Yarbrough. A spokesman for another one of those vendors dismissed the CSRF vulnerability, telling eWEEK that its near-impossible to exploit. Web application security experts agree. CSRF flaws are tough to exploit, necessitating an attacker on one end and on the other end a user who gets lured to a maliciously crafted site and who also leaves a browser window open for the malicious site to commandeer. The problem isnt the ease of the exploit, though—the real concern is the serious damage a successful exploit can cause. "If you can do [a successful CSRF], youll win, but theres not a good chance youre going to do it," Hoffman said. "But that by no means limits the risk. The risk is there, [even if] the potential is low." Web application security firm Aspect Security, for example, has used CSRF flaws in the lab to transfer money out of online checking accounts. "Its not a difficult attack," Jeff Williams, chair of OWASP (Open Web Application Security Project) and CEO of Aspect Security, in Columbia, Md., told eWEEK. "We have a tool that lets you release these attacks fairly quickly. You record a transaction, save it as a Web page, post it on the Internet, and anybody who views it, while logged into the victims site, the attack will run. You could put attacks for the top 100 banks on one page. If youre logged into any one of those pages, it will work, silently and under cover, and the user will never know." CSRF attacks can be automated to perform such multistep transactions by putting each step of the transaction as a chunk of HTML code into a separate page of a malicious site. When a user views the crafted site, each step of the attack fires, in order. Delays are also built in between the steps to account for the processing time Web transactions require—to churn through a request and post a confirmation message, for example. The online account transaction attack Aspect pulled off entailed seven steps. Click here to read more about the introduction of Check Points latest UTM appliances. Such attacks, which as yet havent been seen outside of PoC (proof-of-concept) code, are silent and undetectable, running invisibly in the background. Of particular concern with CSRF flaws on a UTM device are that attackers can do such things as open up remote access through a VPN tunnel. Through a separate but substantially worse vulnerability, an attacker logged in as a legitimate user—a browser window cant detect a legitimate user from a fraudulent one without the use of tokens—can also change the administrator password without knowing the existing password. The particulars of the CSRF vulnerability—also known as one-click attacks or session riding—on UTM devices differ according to product. With Check Point, the vulnerability would have allowed an attacker to run commands on the Web interface of UTM devices if he or she could get the Check Point user to view a hostile Web page while logged into a Check Point device. Next Page: Targets of opportunity.