Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Security Appliance Vendors Blasé About CSRF Flaws



 By: Lisa Vaas
2007-07-03
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Security Appliance Vendors Blasé About CSRF Flaws
  2. ' Inviting Targets '

Rate This Article:
Poor Best
Security Appliance Vendors Blasé About CSRF Flaws
( Page 1 of 2 )

News Analysis: Researchers say security appliance makers are being lax about fixing an arcane vulnerability.Security appliance makers are shrugging off CSRF (cross-site request forgery) vulnerabilities in their products—products that sit at the crossroads of enterprise protection.

The vulnerable appliances, unified threat management products, "certainly are an important part of an enterprises security," said Billy Hoffman, lead researcher for SPI Dynamics SPI Labs, in Atlanta. "Im kind of surprised [that appliance vendors have been dismissive of the CSRF flaws]—Id be surprised if there were not people inside the [organizations] that are saying, We need to fix this."

On July 26, security firm Calyptix announced the CSRF flaws, which the company said it had found on eight vendors UTM appliances. Check Point, one of the eight vendors, on the same day announced an update to multiple versions of its Safe@Office UTM device that had been vulnerable to the problem.

Of the seven other UTM vendors, reaction has been close to nil. Only one told eWEEK that the vulnerability had been addressed, and another told Calyptix that the vulnerability is being investigated. While their products remain vulnerable—or, at the least, until the vendors respond to eWEEKs queries as to whether theyre investigating and can confirm or deny their products vulnerability—Calyptix and eWEEK are refraining from naming the vendors, in the spirit of responsible disclosure.

One vendor whose spokesman said the vulnerability has been fixed, eSoft, was irked enough by Calyptixs claims to file a complaint against the company with CERT. "Not sure what [Calyptix is] up to, but they definitely did not do their homework," said the spokesman, in an e-mail exchange. "We complained to CERT, because [Calyptix] cried wolf to CERT as well."

Resource Library:
The spokesman said that eSoft has already fixed the CSRF vulnerability, although he told eWEEK he couldnt recall when.

Click here to read more about how the cross-site request forgery vulnerability was uncovered in multiple security appliances.

According to the spokesman, eSofts engineering team tracked down Calyptixs version of the companys InstaGate security appliance and discovered it was a custom build for a former customer. Calyptix had, in fact, bought it off eBay, according to Calyptix CEO Been Yarbrough.

A spokesman for another one of those vendors dismissed the CSRF vulnerability, telling eWEEK that its near-impossible to exploit.

Web application security experts agree. CSRF flaws are tough to exploit, necessitating an attacker on one end and on the other end a user who gets lured to a maliciously crafted site and who also leaves a browser window open for the malicious site to commandeer.

The problem isnt the ease of the exploit, though—the real concern is the serious damage a successful exploit can cause.

"If you can do [a successful CSRF], youll win, but theres not a good chance youre going to do it," Hoffman said. "But that by no means limits the risk. The risk is there, [even if] the potential is low."

Web application security firm Aspect Security, for example, has used CSRF flaws in the lab to transfer money out of online checking accounts.

"Its not a difficult attack," Jeff Williams, chair of OWASP (Open Web Application Security Project) and CEO of Aspect Security, in Columbia, Md., told eWEEK. "We have a tool that lets you release these attacks fairly quickly. You record a transaction, save it as a Web page, post it on the Internet, and anybody who views it, while logged into the victims site, the attack will run. You could put attacks for the top 100 banks on one page. If youre logged into any one of those pages, it will work, silently and under cover, and the user will never know."

CSRF attacks can be automated to perform such multistep transactions by putting each step of the transaction as a chunk of HTML code into a separate page of a malicious site. When a user views the crafted site, each step of the attack fires, in order. Delays are also built in between the steps to account for the processing time Web transactions require—to churn through a request and post a confirmation message, for example. The online account transaction attack Aspect pulled off entailed seven steps.

Click here to read more about the introduction of Check Points latest UTM appliances.

Such attacks, which as yet havent been seen outside of PoC (proof-of-concept) code, are silent and undetectable, running invisibly in the background.

Of particular concern with CSRF flaws on a UTM device are that attackers can do such things as open up remote access through a VPN tunnel. Through a separate but substantially worse vulnerability, an attacker logged in as a legitimate user—a browser window cant detect a legitimate user from a fraudulent one without the use of tokens—can also change the administrator password without knowing the existing password.

The particulars of the CSRF vulnerability—also known as one-click attacks or session riding—on UTM devices differ according to product. With Check Point, the vulnerability would have allowed an attacker to run commands on the Web interface of UTM devices if he or she could get the Check Point user to view a hostile Web page while logged into a Check Point device.

Next Page: Targets of opportunity.





  Reader Comments: Security Appliance Vendors Blasé About CSRF Flaws
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


xr80VӮcv ْ˚,*OuEB!)/w^9q_>M -y>]D ~$IM˙k.lJg9[D{{?.GP|gSo92r=z#m)>M3ĩ 55Gl&J~x'AT{j xL5uΚM}ٚ7'x2 X m$8zڀ'jZlZ P8$H.( wm<"a}c $aL49tqr_׽YoבnLo VS7B-b)ڑVP\GFZ<,"J3zĢJ >gSKbоd>9;O|bP+Mz(#1hؕ3Fz קKEw'+jH _܅GlDM Whp -Nկ7#?o!~f[dPp9LwjT{$Z6 I|]8֠Eu6CJ ݖEL_ȻD\KŗG)H73ǚ-4ɌcPu t:9CsfZ[cW)MXRƒ t$u[ϝ5Hr Ca)#p?S%Wi8@r5XSl \MFo4x M2X U >hI,E[!fT}N}%I FQZ#qOCGs>2胎6ml8-ƙ" ,70}Hg@zQI$qp{4ڭ.l=KPI}xX39&z(tH h&r=kIOׇ.[? [ G`r\ɭ5y0kwMGHb1(զρC/Y\7 )@}> nȲc@c~XzK/oǖaBxҜ0uIESsԽ#hƏl}P>HQob< c[HLq?82@&{l`{A3uNP"'Կ 07u9\wT/=\29 UQR }-zv7MAR?Ty v Bdj/h~W.Y 3EXVHdF!zC{١[[3T)w^IY䞅T_9YX XO`n ,Rd8ug6NI 3Xh8ECW4jM;24E֊fۏbucIJەi]jk-T8V7Bj²yc<66`9HM^>L2fˣQ4ӫdJ Ւt> ]{8dOEM~G*+iS#7~4EiZ\-}s4  9P8wSJ$l%K)w=hZz F=> S=`z:L'lBJmw>u - sOѭ,p8*4jkT=Ckab7_E3ka{60g@u\Xlnrp쟶Wה=) Υ_8ͧW6v*> 0f&6Xc˦>oӞWK>hl@dX.)Uql"zd\s˰e0GZ"]Y07MX8F[φOCBE-Hx 3??uPV/zOY,섐+Jc\SOКy]֙;lRf||p݉M% UЀ!as`E . ڀ. Hs}"T0|*UTˈ`mS@@kSU Փ.E^~qV%Ŵ谢Xx}Sː 0gxWyd.>3IR-ʪZJ:_V2p)A7-="Jg\Up{9A;B" r?H_-ϺBN7xlxPym/Oi_2LFdT~!\zRflҡ.wSe1c'ß=jTSc7oa2\ ,Ǹ'~7,Ǥ|e4-tn1c%[´x[2|'@ dѪ9O'A(\0ZVj,aڝNC7E$9`XGpXH[AOpGЍU?F8Z7pթrVgPWt[/ Oyy"/2w O0tGˤCGTT7FogGDoS[Uus:#\Դ"Hw ضRsG?'}Diq=C H\WK(,~w9ـo |\V*Z솣d9CT`|"@-a'd8'߾l[D ‚'T.n\&G7F@"'!Z+53,qvë eVqc^?3Z cS7O{=JL_BP`n&wmOI@ NEw%]ם4}ڻHn!1Aqq^3. ;QaZgq O>*u.ZUWO-m~hc4.[mj2i&A)h]1|̮VsAцۧ0BZ@Ɂ^W6>t.ėtOz+~Jw.R1ARdGMypqu8)Dyy~|ly0amG 'Lkds4+H0 BXzW'^ t%V}Xhr!q6(a4lCꏽ5/Q֭ Bb/3BdOR# (ʑ=`=` ɈVyN α@$B@npkz!NU e,$+e3ғ2p%'&' <&9xDw~mlb~C<B<Mq<& ]l=8Y,lrl%uF;LzdNlp lwycrF4-3_w jEP!ZIRB9kũ-xOӖO\eax!um0q%՝b"f0BٺCO ,,mgSs$S)y#ϔ m$IjSfkC@$ğ_2 Iv(+6HtdA͋jӚ]e /.t?6D2F=`l)JZa"A|)J| a9i@ Rr;8%}@J^KJPW&BR 0><)'T'z@”+,iTVHl{7s,: ȓ``/#9ʼS3,`Z GW ./CvcNȣ&k{?wynL xqXt9 7X16q=wv"ϓ{~\[("k˜ uVAv,3x\/<[<,Mw[1CZ=r}E_g q+}F'z t{DoY7ۨ;.|ʜ,=}!G&zzy}> 9oa`Jof6rO0>oV8_OKoҽ{᧥}est3V*9$DH!H^ݍd_"2gNIJn/:}L9zd< ,fJfzӼ2iAxl3O7nC\pb_#1o~=ϸ2]a*w}o}VZtCqD &x/.)%eu@OKtG]_Q{O{[#60N Ħ7sgcef7XcŸց!{ Rf':曜;a!3̑"+Ӡ5m&s$;gr0G c*yx\[w5&P)<A~A< v4)[˷x:z}in;d⫆ܖ~@F' zYOXW+O*[QVD3|{ rx|[vz_cLRF< w *֒k0K(p!$~8M{fr+ (? ܻ'Vxe[b[0| ttf9J[~>ːu9N0F (A7%}avJM-'(NfnގBmE?nj_XP1ff~=dB7~bo4Kn7- gܺ6C&K> E j=N\*JɍK.jI !aB4ͳq;xMm[424(eBcT7`'5G"NWҩ`V1Ǣ'ށˉS $~Dt 9I3d2ڷ_\`]~ oE o2R{:Y; v}oh{KZ N Yڑ%*'6QO$ 1A3vxO_^ +{ԍ_ؕʒVޖ /NMW'BԢ3Obr$?>/lXrwfZSC%g:b9J>,EX[,_ىjJִV|)ZZe?HY 3 xHWt>҉;/[WjJV ;DIyB"^FeIGVg_PK/.14Xx/5)iltw><,\I`ǒmPLdI YD'h@[rx Ql4 aW]Ak_@:vA4azL!,R%`HZPU2h3J8P$@abJߜIy Ox5bgm@l_:9YԱtkIZ8@N0%w,dY4T̄Hy"xy'+K@XnN ~ Z9 [{{{{7ZTX^S:oVwl_L릷0X ~~sŒ){t2`3xXxbQo6i{B_E <+'%e_9;'J|Čx[&̅?<-CuF3ل2> ICx%:|5^ Ԗtbkt7罿%Úe,BL)<;y"VRpYH΅ʔJjPX;$fCve%Z$D8$" m&)AJ2ޒJ-FsEiԃYÒ ´꒪l n| WyPѪ`8o9;/*^tRATʰHR'v+@/n34?r~*I**^Eh2va{l> ,۠ C/ouc몛{?${<˕B[6߼H)\:SHRH 7uu ZR}`^CR"INu^'z!|n}m[ؼ3:B[hGyQg!@B^3Ÿ8{4mضve/ad".l$.lg˾qqūxU&*,|' ;l |ᯜyd-+nly>³Y{[_J+~]VJZ 8ɑ[vHK}zff N\?o +fo%2[tߚ'ë40aH΀76;egf5&NoCdym&]$5?h۾a+mն-1ϳċ|W;lk@VE6,љ{KW2*eX -}-$&w2{[)?i@m@ȼ#MlD5:!UJE:`ҷ.+⌱fnmO% _f(I4PDWГ 5>E4ֵ7 5a=y_ڋK۪_<kb}`2SZNܓ䍫atwb6Y}gj  OQ4k> aLWgl{#Ӹol`1tq*wo,]kʁV=P, xi߸֊[N2Ң=F(xۋ ؠhF!;Opl Rr(ҟaS@a]IYy²fSxQf vf4}돐Su&/U[{ω;T= ? KL)`G%]B~fs t'8q/,%j~dW:%8-xQ)j.^o7N Bv_xr7&?X++F]{A9-0) 橨~;VT8O[,zō+p$5d _M ,¶Ӊa٥()ȁ;_ 0(TmSOǽf#/7s.JN(aږϼʼn+I#샒=%hK?!,Q )Dsı/?:-ĻFXy- D9D NE7wya7G`<ĒI i5n/͛I~p\o+C"m.95͂E tCs95iT(5u=b?=G/utIjbiA.c2·Zs1a❺*B UNz ytNu*R!ѤF,GZj>kik6j=!ɣ`5?ؽYvn&+m']қ-XM%ܬTM Gܬv<5#Ϣcf 7pK$:rOĭF"c@Vmj|)5,\ 8\πJ*nA4`]"qjR$26rZH+(%\C;@ZՔV-`{dE>m>+=f]k;%u'}^rYģ֞PP*(Zz'cÓsO`ΖC0经UztWc2+ qAXCFݹHm+nl@BĝN:I^aci*pm[*{y-h<#Թk&[Q{Z`+,%`hnPČ\>fF+iAc̆4xc=O(<1_*J@(fYir' .'GWop+PתۣVw>2<-xWCW|-uufYl<|~1}MMLSx&C7)(ʁޒ_q4< x:i4a^zgZq!G)<>xInM2K= o~{@\cr 8r,-E|tz['u}H?Km1Bhb#3!F~0\'u9'y{0h_*4.P^[HguY(tZEKGa N<0xd+ Ǽ5 [zkaq{/F\n#MS4-l \ZS4pB7F}ꢯԔ1";'0ឩxT1,0)kM(qik8< ~3&v+"&(6@א0H`lg=wFpbZ1Ř!bx^r {4bwڜDQ\26Fiŷ~(l8*wxc||>8K$vFW@¨b)]N"@[ g #! v7UIu~6?`6w}``EP00a|Lng~7]_u:a"$Pn 0Y:oN+r HPgA~Llݜ(8&Ój9It!CK/HzNsZac‚day~Xϧˈ_`!bJU(IhRW|:T \gޕa)豪ꕯ7) ;ee,ՊK=Mȕ@%ZȘq~/ٷ4 :>\Sݹ>`rڻ"MrznUr]yOAa[kN|Sw{/'/UbkZhbv>L5mkL(P^4mf,(NL3\H^Eƒ<^;OKvE3@cqy^ L;O38Sv}YQJib_)oZW~_V\k) <VՑt.53;nh9j0}=W܄Ʉ @1@C|oOw5Bx_m9gBWP~ (Ay/)}8h3Ods)4?2\~5:;\(u2EF9\c? \~3kt3 f Y v? ta݌w>f'E/>C3(?(# ݌rߋ A{eȟȗ^|̠Kx2+  2o/(O@_23*}g ]CuV9u^C_]g_RIRf5/qvJEsQ^53Ty~)P5(ϐge3Vڍ^a{r!gˀ~_ kJ+ťW*7YKxM}%k{[F1nvd bCa 5KPe^ۛTCGPypKxEó##htoĶ.p&}:=Wv l+Jy.)ܲ}:QOXE)9K8GX%ӚXn3'c"e(s#h60 .Ñpۿ{剹?|k2xi0? ۓ{ Dw9MAwE/[`\zP[ԙq%TޢD)Fy5-g4o}e\7㌠6ևɧ {xuCWeC=tz}YP`% X5RǬQDxaw. ]C_ND]nxD`a\m8JȋI(q0Y1zzqcYq R3IrHNCLfLe~OfAL q]|5h_u4r5V$Ƕ1x_05:%xlӍ(1vՓ~ څ/jPK)sؖ?f F纳sX򻶫Qg r:?,x`9CoY>11LRO"cpN@U}# 1,;ԟ#1H YY/8:Z5m$$&b3@ gYlVxRBZszn%0)% KBlӫmwOHmgX|@ăx!$k0&O~|XqE*9"[o %@A$tzXq+N'%}YQ v.yH#eUI;.~m% ]*IxrHqpC>~EE3`A]|eD$u@Ч 3؅ϨnSC>XZc纖9cbV)qdFӧW-[@# e`1v4aehD خ;Oq^' 3>Ƌrx{Goq1$(+nOvGD g>6'كl4h}, Xs#Q%` <{[=LLJ D ϱ.y*hlg`wDl .3*/]E hWa)*e76K((Xp^'A6tm;>BAr,#<[^ҵ<ok3Ϸ[<-v7 /FOe(| _a[0~Y+JbA,\n2?>Şi3|@ }( of8j5`y+@44 qS`hp#1tB\ (X`to@ Q1?c]'nFQXƦi#]QaW:67n MywTL\7o+]ycQ1W)?Il}X<ٰ޳sW=?5flvnwx:Y}#s!?²Lj3mg^^kte(n aaXY[PE"1ԟc:(G=zk|XKzίfw:n0~cr8Lt4Q3|JKm)3 ;ς ixv4tgLt )2)v}ml-c6C-{P)