Security appliance makers are shrugging off CSRF (cross-site request forgery) vulnerabilities in their products—products that sit at the crossroads of enterprise protection.
The vulnerable appliances, unified threat management products, “certainly are an important part of an enterprises security,” said Billy Hoffman, lead researcher for SPI Dynamics SPI Labs, in Atlanta. “Im kind of surprised [that appliance vendors have been dismissive of the CSRF flaws]—Id be surprised if there were not people inside the [organizations] that are saying, We need to fix this.”
On July 26, security firm Calyptix announced the CSRF flaws, which the company said it had found on eight vendors UTM appliances. Check Point, one of the eight vendors, on the same day announced an update to multiple versions of its Safe@Office UTM device that had been vulnerable to the problem.
Of the seven other UTM vendors, reaction has been close to nil. Only one told eWEEK that the vulnerability had been addressed, and another told Calyptix that the vulnerability is being investigated. While their products remain vulnerable—or, at the least, until the vendors respond to eWEEKs queries as to whether theyre investigating and can confirm or deny their products vulnerability—Calyptix and eWEEK are refraining from naming the vendors, in the spirit of responsible disclosure.
One vendor whose spokesman said the vulnerability has been fixed, eSoft, was irked enough by Calyptixs claims to file a complaint against the company with CERT. “Not sure what [Calyptix is] up to, but they definitely did not do their homework,” said the spokesman, in an e-mail exchange. “We complained to CERT, because [Calyptix] cried wolf to CERT as well.”
The spokesman said that eSoft has already fixed the CSRF vulnerability, although he told eWEEK he couldnt recall when.
According to the spokesman, eSofts engineering team tracked down Calyptixs version of the companys InstaGate security appliance and discovered it was a custom build for a former customer. Calyptix had, in fact, bought it off eBay, according to Calyptix CEO Been Yarbrough.
A spokesman for another one of those vendors dismissed the CSRF vulnerability, telling eWEEK that its near-impossible to exploit.
Web application security experts agree. CSRF flaws are tough to exploit, necessitating an attacker on one end and on the other end a user who gets lured to a maliciously crafted site and who also leaves a browser window open for the malicious site to commandeer.
The problem isnt the ease of the exploit, though—the real concern is the serious damage a successful exploit can cause.
“If you can do [a successful CSRF], youll win, but theres not a good chance youre going to do it,” Hoffman said. “But that by no means limits the risk. The risk is there, [even if] the potential is low.”
Web application security firm Aspect Security, for example, has used CSRF flaws in the lab to transfer money out of online checking accounts.
“Its not a difficult attack,” Jeff Williams, chair of OWASP (Open Web Application Security Project) and CEO of Aspect Security, in Columbia, Md., told eWEEK. “We have a tool that lets you release these attacks fairly quickly. You record a transaction, save it as a Web page, post it on the Internet, and anybody who views it, while logged into the victims site, the attack will run. You could put attacks for the top 100 banks on one page. If youre logged into any one of those pages, it will work, silently and under cover, and the user will never know.”
CSRF attacks can be automated to perform such multistep transactions by putting each step of the transaction as a chunk of HTML code into a separate page of a malicious site. When a user views the crafted site, each step of the attack fires, in order. Delays are also built in between the steps to account for the processing time Web transactions require—to churn through a request and post a confirmation message, for example. The online account transaction attack Aspect pulled off entailed seven steps.
Such attacks, which as yet havent been seen outside of PoC (proof-of-concept) code, are silent and undetectable, running invisibly in the background.
Of particular concern with CSRF flaws on a UTM device are that attackers can do such things as open up remote access through a VPN tunnel. Through a separate but substantially worse vulnerability, an attacker logged in as a legitimate user—a browser window cant detect a legitimate user from a fraudulent one without the use of tokens—can also change the administrator password without knowing the existing password.
The particulars of the CSRF vulnerability—also known as one-click attacks or session riding—on UTM devices differ according to product. With Check Point, the vulnerability would have allowed an attacker to run commands on the Web interface of UTM devices if he or she could get the Check Point user to view a hostile Web page while logged into a Check Point device.
Next Page: Targets of opportunity.
Inviting Targets
Prevalence of this vulnerability, Williams said, is “staggering.” While a small number of sites protect against it, including Wikipedia and some blog software, a “vast amount of applications” are susceptible, Williams said—”no doubt about it.”
CSRF has actually been boosted to OWASPs Top Ten list of most common and/or highest-risk Web application security flaws. CSRF, Williams said, is both common and of high risk, in spite of its low potential for success. Heres a description of what a CSRF can do, quoted from an FAQ on CGI Securitys site:
“Most of the functionality allowed by the website can be performed by an attacker utilizing CSRF. This could include posting content to a message board, subscribing to an online newsletter, performing stock trades, using a shopping cart, or even sending an e-card. CSRF can also be used as a vector to exploit existing Cross-site Scripting flaws in a given application. For example imagine an XSS issue on an online forum or blog, where an attacker could force the user through CSRF to post a copy of the next big website worm. An attacker could also utilize CSRF to relay an attack against a site of their choosing, as well as perform a Denial Of Service attack in the right circumstances.”
CSRF is often confused with the ubiquitous, well-known class of XSS (cross-site scripting) attack. They differ in that XSS relies on a victim to trust that the content displayed in a browser is legitimately being displayed by the site being viewed. Conversely, CSRF takes advantage of sites that trust the legitimacy of a request from a browser user.
Regarding the wider world of Web browsers, there are vulnerable sites of substantial size. Heres an example of an attack on Digg. Heres another example of an attack on Amazon.com, and yet another example of an attack on Googles AdSense.
The Amazon flaw has been open for over a year, according to Chris Shiflett, lead of the Web application security practice at OmniTI, in Columbia, Md. Shiflett discovered the Amazon CSRF flaw on March 15, 2006. Amazon verified the vulnerability and told Shiflett it was a “top priority,” but a year later it was still open. Amazon.com, headquartered in Seattle, declined to comment on the matter, citing a policy against speaking about security concerns. Google, based in Mountain View, Calif., also declined to comment on the AdSense vulnerability.
The idea of a CSRF against a UTM is “a bit of a niche attack,” Hoffman said, given the low percentage of the population who have access to such devices. “I have to get the IT administrator at [a company] to visit a site, and oh, he has to have cached credentials in the form of cookies or log-in credentials for, say, a firewall or IDS [intrusion detection system] or routers.
“… In terms of the percentage of the population, those who have access, SPI has 150 people, and we have four or five folks who can potentially access [a given security device]. Thats less than 3 to 4 percent of the population whod have access.” Plus, Hoffman said, an attacker would have to luck out and strike when an IT administrator happened to be logged in to the Web browser of the target UTM device.
The chances are low that an attacker would stumble upon many such situations, but the risk to an organization if the attacker did so would be very high, Hoffman said.
The spokesperson of one of the vendors of potentially vulnerable UTM devices pointed out its not as if these devices have IP addresses that are broadcast publicly. Many are internal, nonroutable IP addresses. With such devices, an attack would have to be based on guesswork.
Still, its not as if the number of IP addresses were infinite, said Scott Parcel, vice president of engineering and chief technology officer at Cenzic, in Santa Clara, Calif.
“Its a numbers game with these kinds of attack,” he said. “If you lure a million people to do something, some percent will do what you want them to do, and a smaller percent will [be on a vulnerable system],” he said.
And then there are default passwords. And last but not least, an attack could come from a disgruntled employee or an ex-employee who knows a devices IP address.
“The idea of treating the addresses of these [UTM devices] as being a secret, as a protection—that doesnt sound like the level of protection Id like to see,” Parcel said.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.