Major Flaw Found In Security Products

ancientribe writes "A stealthy and potentially dangerous bug has been discovered in security products from eight different vendors, including Check Point Software, according to an article in Dark Reading. The so-called cross-site request forgery (CSRF) lets an attacker access the user's network and even conduct transactions on behalf of the user. It could affect over a million installations, but so far, Check Point is the only security vendor to step up and patch it. This vulnerability is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones." An article on the vulnerability from last fall quotes Jeremiah Grossman, CTO of WhiteHat Security, who calls CSRF "the sleeping giant" vulnerability: "It's not seen as a vulnerability because it works like the Web works."

Hope they used EEPROM

[jshriverWVU (810740)]

routers, IP phones, etc

because it sucks when there's a bug in hardware unless it's possible to do a firmware upgrade to fix or work around it.

Can someone explain this for me...?

[mikecardii (978929)]

I'm not completely retarded at computers, I just like reading comments on /. so I don't call attention to myself because for the most part I look like a complete dumbass. Yet this sentance makes no sense to me. "It's not seen as a vulnerability because it works like the Web works." What does this mean?

Re:

[MDHowle (634114)]

Sounds like the old saying "it's not a bug. it's a feature!"

Re:Can someone explain this for me...?

[by Anonymous Coward]

What does this mean?

It means that if you do something stupid like leave the default username/password for your "appliance" or log in and pick up a session cookie then go browse somewhere else, someone can set up a link like "http://192.168.0.1/networksetting.cgi?internet=di sabled&username=Admin&password=" and if they convince you to click on it, your internet turns off.

Except that they don't have to convince you to click on it, they could set that as the source of an image... you'd see a broken image tag and then the internet would stop working. Then they just have to get that image tag onto a website you read, say through an ad vendor (some of whom obviously don't care that they're hosting malware, so why not?) or an email to a webmail address that doesn't filter image tags.

This is how the internet works. Your browser follows links, and doesn't know or care about whats there until it gets there.

Re:

[spood (256582)]

Hence the reason to disable remote 3rd party images in your browser of choice (e.g. Firefox) and never click on 3rd party URLs. See also the Netflix CSRF vulnerability [webappsec.org] that allowed an attacker to add a movie to a user's queue, move it to the top of the list, and change the shipping address for the user to his own to get free movies. Who here checks the box to stay logged into Netflix? Note that the "add movie to queue" portion still hasn't been fixed.

There may be a lot of comments saying CSRF is so 20006. W

Re:

[gEvil (beta) (945888)]

There may be a lot of comments saying CSRF is so 20006.

Pfffft. I'm certain they'll have things fixed by then...

Re:Can someone explain this for me...?

[planckscale (579258)]

By the way to not allow images execept from the original website, in FireFox2, open about:config, modify the value of the preference permissions.default.image

from 1 to 0 .

Re:Can someone explain this for me...?

[iago-vL (760581)]

Of course, while that's generally good advice, it does very little to prevent CSRF. Instead of using an image, they could use an iframe or JavaScript code or anything else that loads a URL.

Re:

[owlstead (636356)]

The bigger problem is that, indeed, the browser accepts data from any source to be put in a page, as well as allow communications to any destination. This can be images, video's, web-casts, posts, redirects, css pages - the works. To make matters worse, you cannot even trust links anymore, you never know what the scripting which is behind the link is going to do. This is just like Outlook displaying mails in Internet explorer, it's damn convenient at times, but it's really, really bad for security.

Now, if y

Re:

[dgatwood (11270)]

That's pretty sad if that's all this is about. Isn't this basic stuff they teach you in college? :-) Didn't we learn anything from the "secret" backdoor passwords exploited by the UNIX worm of 1988? You don't have a single password built into ANY piece of software. You require the user to create a password when you first plug the device in. Really freaking basic stuff.

For that matter, this one would be solved by simply using an expiring session key. For that matter, this one would be solved by makin

Re:Can someone explain this for me...?

[stevey (64018)]

There is a simple example / introduction to CSRF attacks here [debian-adm...ration.org].

Re:Can someone explain this for me...?

[dch24 (904899)]

Parent link is very helpful in understanding CSRF. In brief: malicious site knows or guesses you are logged in at paypal, slashdot, some valuable site, etc. ... malicious site sends you javascript that generates a form and submits it to valuable site. Valuable site sees it coming from your browser, so the cookies are valid. You are logged in, aren't you?

This lets malicious site do things like send $10 donations from your paypal account, submit blogspam, get your account balance, etc. if you can be convinced to visit malicious site.

Re:

[skiingyac (262641)]

Ok, but they say adding a token fixes the problem? So, website X shows me a form with some randomly-generated token field that's good for say 15 minutes, and unless my form submission has that field set to a valid token, then it is rejected? The token would need to be tied to something so that only a request I send creates a valid token for me... otherwise the malicious site can request the form itself, getting a valid token, and use it for the malicious submission.

For that matter, the malicious site coul

Re:

[numatrix (242325)]

No it can't. The same-origin policy prevents javascript from one website from accessing objects returned from another website. Kinda. It's complicated and there are occasionally ways to hack it, but generally speaking when same-origin is working, the token is a pretty secure mechanism.

The best way to break tokens like that is to find some XSS on the site you're attacking -- that allows you to get javascript running within the domain of the remote site. /Then/ you can do what you described above and have

What the ... ?

[khasim (1285)]

CSRF works like this: An attacker identifies a URL on a Website -- such as Netflix or a bank -- that initiates typical Web functions such as making a purchase, changing an email address or transferring funds. "The attacker takes that URL and loads it to a Web page they control," White Hat's Grossman says.

The actual attack occurs when the user visits the attacker-controlled Web page via a legit link, which forces the browser -- using legitimate, authenticated cookies -- to make malicious requests. The user has no clue as to what's happening.

And the catch is that neither the original Website nor the user's computer is necessarily compromised, Grossman says.

Wouldn't this be easily killed by simply having the webpage dynamically generate a page with a life of 15 minutes or less?

Or even by using some basic encryption that involves the IP address of the original request?

sheesh!

Re:

[Volante3192 (953645)]

The actual attack occurs when the user visits the attacker-controlled Web page via a legit link

Does that also mean simply typing in the URL bypasses this as well?

Re:

[Intron (870560)]

No. Its not a phish address. The malicious webpage has elements that will be downloaded by your browser automatically, like images, javascript and styles. One of these could actually be a link to Slashdot (for example) that requests an action there. If you are still logged into Slashdot it will perform the action because the request really came from your browser, which knows the session and your Slashdot cookies.

Re:

[Amouth (879122)]

i find this kinda intresting.. exchange years ago disabled url's to the same domain as the mail server cause people where getting e-mails with links in them that would use OWA to delete mail or change passwords and so on and so forth

needless to say i had to alter their proccessing page for this cause they blocked the whole damn domain not jsut the mail server..

Re:

[ghoti (60903)]

If I understand this correctly, the request comes from the user's browser, and so also from the same IP. But a timeout would help (it's just less convenient).

But that makes me wonder if browsers could do something against this. If there's an iframe that is not visible to the user, and that tries to request a page from somewhere else, don't send cookies. Okay, maybe it's a bit more involved, but shouldn't this be doable on the browser side?

And the "referrer page" is already known.

[khasim (1285)]

I may be wrong, but I think Amazon already implements something like that. I cannot bookmark my "shopping cart" page ... and then go into it from a different computer with a different IP address. Even if I'm logged into Amazon on both computers.

There seem to be a lot ways to defeat this "sleeping giant" of a vulnerability. And most of them seem to related to basic security practices by the websites themselves.

"Solving" this at the firewall level just seems ... weird.

Re:

[accessdeniednsp (536678)]

I think that's one of the changes Check Point is making to the Edge appliances. There are no details in the release notes for v7.0.45 of their Edge firmware, but I think they added some session timeout/cookie timeout stuff. This came out rather quickly, so it must not have been too hard to "fix".

Re:

[bryguy5 (512759)]

Expiring the Session in a short time frame like 15 minutes does limit the damage, but doesn't eliminate the threat. The above example said Checkpoint was only vunerable when both were open at the same time.

The IP address doesn't work because the initial exploit is from the orignal user on the same computer, same ip address. Just a different tab or window of the same browser that carries the same cookie/http-auth as the original, but comes from a seperate malicious webpage.

I can think of 2 general fixes but

URL referrer

[oliverthered (187439)]

So long as the malicious site isn't on HTTPS you should get a url referrer with the request that doesn't look like the one you'd expect to get from a legitimate request.

That's why I don't think this is a problem.

[khasim (1285)]

The above example said Checkpoint was only vunerable when both were open at the same time.

While that does happen, it probably would be extremely rare.

And the "attacker" would have to pre-craft the page. This would be easily defeated by simply dynamically generating each page and giving a short time to live.

The attacker would need to know the dynamically generated ID
and
He'd need to know it before that page expired
and
He'd need to get that code into his webpage that you were looking at.

Sure, this "attack" woul

Re:

[morgan_greywolf (835522)]

I've said from the first day I learned what a 'cookie' was that using cookies alone for authentication is a very bad idea. Here is the real fix: don't use cookies alone for authentication. Your idea of using a session token passed on the URL is one such idea. Can anyone think of others?

Re:

[bhmit1 (2270)]

Wouldn't this be easily killed by simply having the webpage dynamically generate a page with a life of 15 minutes or less?

It's poor authentication on the server side. The browser is hitting links that it's given, and if you're doing something important, you shouldn't rely on the browser being fixed. The proper solution is for the server to give out a unique key with every form or link that needs to be secure, and if the key received don't match one given out to that user, it's rejected. Crackers wouldn

Update!

[accessdeniednsp (536678)]

Anyone here like me who does managed firewall work, please notify your clients and get them updated! But this is Slashdot, and we all update our stuff don't we? :) Also, this kind of thing is irrespective of whether or not you allow remote web management of your device. Also, this is further evidence for why you should not use the default internal IP range the device gives you. Please always change the local LAN IP range!

I'm surprised it took this long to find something like this, but I'm not at all surprised it existed. I've loved web interfaces like these but I've always been nervous about them.

Re:

[gEvil (beta) (945888)]

Also, this is further evidence for why you should not use the default internal IP range the device gives you. Please always change the local LAN IP range!

I certainly need to read up some more on this, but from the sounds of the first article, it doesn't seem like changing the default IP range would stop this exploit from working.

Re:

[accessdeniednsp (536678)]

The advisory I read earlier this week for the Check Point Edge firewall, specifically, said the URL would have been most effective if the attacker knew the device's IP. The proof-of-concept I saw worked to add a new admin user and password to the device. It used "https://192.168.10.1/blah blah" which is the default IP of the Edge out-of-the-box. Although for the Edge, specifically, it acts as a DNS proxy which can intercept the silly "my.firewall" and "my.vpn" DNS names and redirects them to the device i

Re:

[gEvil (beta) (945888)]

Gotcha. Thanks for the info.

The sky is falling?

[Verteiron (224042)]

From TFA:
In Check Point's case, CSRF was possible when a user was logged onto https://my.firewall/ [my.firewall] at the same time he or she was connected to a malicious Website, according to the company's patch release information.

This bad, sure, but hardly the internet-destroying calamity the article makes it sound like. When you're connected to the web interface of something critical, make sure you trust the other websites you're viewing at the same time. Am I missing something, or is this Calyptix company just trying to get its name on everyone's lips?

Re:

[Daniel_Staal (609844)]

For that matter, I can't think of a time when I've opened another website while using the web interface for a firewall. If I'm configuring a firewall that's what I'm doing, and the rest of my internet connection is probably non-fuctional until I get the firewall set up.

But the vunlerablity isn't limited to firewalls, of course...

POST vsn GET

[El_Muerte_TDS (592157)]

Is that not the reason to use POST for important actions (e.g. modification to data) rather than GET?

Re:POST vsn GET

[stevey (64018)]

Using POST will help, but it doesn't solve the problem.

An attacker could still host a hidden FORM pointing at your local application, and use Javascript to submit it.

Re:POST vsn GET

[ckd (72611)]

Is that not the reason to use POST for important actions (e.g. modification to data) rather than GET?

Indeed it is, but why should the vendors of security appliances be any better at reading RFCs than anyone else?

RFC 1945 [w3.org], section 12.2 (under the oh so stealthy heading of "Security Considerations"):

The writers of client software should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they may take which may have an unexpected significance to themselves or others.

In particular, the convention has been established that the GET and HEAD methods should never have the significance of taking an action other than retrieval. These methods should be considered "safe." This allows user agents to represent other methods, such as POST, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

But hey, that RFC was only written in 1996; why would we expect something that was specifically stated as a security problem eleven years ago to be taken into account by security vendors?

Re:

[vipw (228)]

And in the real world, who approves every post that scripts make on behalf of the user? I know that I don't.

Re:POST vsn GET

[spood (256582)]

While it's true that it's much better to follow the RFC here, just switching to POST doesn't solve the CSRF problem. An attacker could set up a malicious Web page which has a form with all the necessary parameters and a JavaScript to automatically submit it, hence meeting the POST requirement. Similarly, if the client has an older version of Flash or a buggy version which does not obey same-source security principles, the attacker could embed a malicious SWF which creates the entire HTTP request from scratch, even forging the Referer header if you were checking that as a security measure.

This is another good reason for using Firefox extensions such as Flashblock [mozilla.org] and Noscript [noscript.net]. As a client, you can protect yourself pretty easily from a lot of these attacks. Noscript also has some nice features which help filter out the more common brands of XSS attacks.

Re:

[accessdeniednsp (536678)]

Standards? We don't need no stinkin' standards! ;-)

Re:

[Solra Bizna (716281)]

It increases the complexity and requirements of implementing the attack.

With a GET request, all you need is for the victim's browser to visit the URL. You could hide a link, or even put it as the SRC for some other tag. You could hide it in an <IMAGE>, or even a <LINK>. (Or, as another poster pointed out, in an invisible <IFRAME>.)

With POST, on the other hand, you have to get the victim to submit a deliberately crafted form. With JavaScript you could do this automatically, but that's not

Re:

[asdfghjklqwertyuiop (649296)]

With POST, on the other hand, you have to get the victim to submit a deliberately crafted form. With JavaScript you could do this automatically, but that's not nearly as easy as

Not nearly as easy? Here, lets transform your sample attack into a POST-based one:

<form id="funnyform" action="http://www.bankofsomethingorother.com/acco unt.asp" method=post>
<input type=hidden name="action" value="transfer">
<input type=hidden name="amount" value="1000.00">
<input type=hidden name="dest" value=

I Don't See It As a Sleeping Giant ....

[Luscious868 (679143)]

All it takes is one malicious site to be open at the same time the Web interface is, and the attacker can gain access to your network, he says.

So don't manage any device on your network via it's web interface while browsing web sites you don't trust on the Internet. Problem solved. In this day and age you should be careful about opening links to non-trusted sites no matter what.

If you absolutely must do both at the same time, use one browser for the web and another to manage the device. If you're on Win

This happens though.

[khasim (1285)]

You'll be looking for the solution to a problem on a web page and trying it on your firewall.

In that rare instance, I can see this as being a potential problem.

Re:

[darkmeridian (119044)]

Personally, I surf with Firefox and control with IE (compatible with the intranet).

Check Point Edge firmware reset

[accessdeniednsp (536678)]

Anyone with a Check Point Edge or SofaWare appliance, be aware that if you do the reset procedure, you will be restoring both the original configuration *AND* the original firmware image that shipped with the product. Yes, the original image is still there. If you have a very old v3.x firmware box like I had one time, after upgrading to v6.5.x (back then) and then doing a reset, you're in for a surprise :)

A good explanation

[athloi (1075845)]

CSRF explained [shiflett.org], albeit clumsily. The examples made the article. Solution: use POST requests for user actions, and add unique tokens to each form.

Re:

[rthille (8526)]

You should never use GET for actions. The last company I was at had a 'delete' link that was a GET action. And we had a spider that indexed our intranet...

And the spider deleted everything!

The Cross-site Request Forgery FAQ

[mrkitty (584915)]

http://www.cgisecurity.com/articles/csrf-faq.shtml [cgisecurity.com]

What is the vulnerability?

[Ed Avis (5917)]

Could anyone explain what this is all about? The article doesn't go into much detail. We all know that any http GET request can be accessed from another website, for example by putting it inside an IMG tag. When the user's browser visits the site, it goes and fetches all the image URIs. But that doesn't seem like an attack, because as we all know, you should never use GET requests for anything other than harmless idempotent information retrieval (to perform potentially dangerous operations use POST requ

Re:

[bryguy5 (512759)]

POST doesn't help onclick=form.submit()

You can still do hidden posts with javascript. Just hook up the post to fire on onload or onclick of anything on the malicious site. The form response can be targeted to a hidden iframe so it's invisible to the user.

Most people have already turned off their browsers post warning and even if they didn't they don't have any reason to think it's posting to their bank's website or firewall device instead of the malicious site.

Re:

[nolife (233813)]

I supply your browser a link like this:

http://slashdot.org/users.pl?op=edituser?sig="blow me"

If you are logged into /. and you happen to click on that link, your signature will be changed to "blow me"
(okay, I know nothing about scripting and this is just an example but you get the idea)

How do I supply this link to your browser? One example is on a malicious web page in an image tag, there are many others.
Since you have a /. set to log in automatically and save your cookie, any request from your machine