Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Flaw Found In Security Products

Posted by kdawson on from the deploy-the-captchas dept.

ancientribe writes "A stealthy and potentially dangerous bug has been discovered in security products from eight different vendors, including Check Point Software, according to an article in Dark Reading. The so-called cross-site request forgery (CSRF) lets an attacker access the user's network and even conduct transactions on behalf of the user. It could affect over a million installations, but so far, Check Point is the only security vendor to step up and patch it. This vulnerability is found in most everything with a Web-based interface, including printers, firewalls, DSL routers, and IP phones." An article on the vulnerability from last fall quotes Jeremiah Grossman, CTO of WhiteHat Security, who calls CSRF "the sleeping giant" vulnerability: "It's not seen as a vulnerability because it works like the Web works."

9 of 153 comments (clear)

  1. Re:Can someone explain this for me...? by Anonymous Coward · · Score: 5, Informative

    What does this mean?

    It means that if you do something stupid like leave the default username/password for your "appliance" or log in and pick up a session cookie then go browse somewhere else, someone can set up a link like "http://192.168.0.1/networksetting.cgi?internet=di sabled&username=Admin&password=" and if they convince you to click on it, your internet turns off.

    Except that they don't have to convince you to click on it, they could set that as the source of an image... you'd see a broken image tag and then the internet would stop working. Then they just have to get that image tag onto a website you read, say through an ad vendor (some of whom obviously don't care that they're hosting malware, so why not?) or an email to a webmail address that doesn't filter image tags.

    This is how the internet works. Your browser follows links, and doesn't know or care about whats there until it gets there.

  2. Re:Can someone explain this for me...? by stevey · · Score: 5, Informative

    There is a simple example / introduction to CSRF attacks here.

  3. Check Point Edge firmware reset by accessdeniednsp · · Score: 4, Informative

    Anyone with a Check Point Edge or SofaWare appliance, be aware that if you do the reset procedure, you will be restoring both the original configuration *AND* the original firmware image that shipped with the product. Yes, the original image is still there. If you have a very old v3.x firmware box like I had one time, after upgrading to v6.5.x (back then) and then doing a reset, you're in for a surprise :)

  4. Re:POST vsn GET by stevey · · Score: 4, Informative

    Using POST will help, but it doesn't solve the problem.

    An attacker could still host a hidden FORM pointing at your local application, and use Javascript to submit it.

  5. Re:POST vsn GET by ckd · · Score: 5, Interesting

    Is that not the reason to use POST for important actions (e.g. modification to data) rather than GET? Indeed it is, but why should the vendors of security appliances be any better at reading RFCs than anyone else?

    RFC 1945, section 12.2 (under the oh so stealthy heading of "Security Considerations"):

    The writers of client software should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they may take which may have an unexpected significance to themselves or others.

    In particular, the convention has been established that the GET and HEAD methods should never have the significance of taking an action other than retrieval. These methods should be considered "safe." This allows user agents to represent other methods, such as POST, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
    But hey, that RFC was only written in 1996; why would we expect something that was specifically stated as a security problem eleven years ago to be taken into account by security vendors?
  6. A good explanation by athloi · · Score: 5, Informative

    CSRF explained, albeit clumsily. The examples made the article. Solution: use POST requests for user actions, and add unique tokens to each form.

    --
    technical writing / development
  7. Re:Can someone explain this for me...? by dch24 · · Score: 4, Informative

    Parent link is very helpful in understanding CSRF. In brief: malicious site knows or guesses you are logged in at paypal, slashdot, some valuable site, etc. ... malicious site sends you javascript that generates a form and submits it to valuable site. Valuable site sees it coming from your browser, so the cookies are valid. You are logged in, aren't you?

    This lets malicious site do things like send $10 donations from your paypal account, submit blogspam, get your account balance, etc. if you can be convinced to visit malicious site.

  8. Re:Can someone explain this for me...? by planckscale · · Score: 4, Informative
    By the way to not allow images execept from the original website, in FireFox2, open about:config, modify the value of the preference permissions.default.image

    from 1 to 0 .

    --
    Namaste
  9. Re:Can someone explain this for me...? by iago-vL · · Score: 5, Informative

    Of course, while that's generally good advice, it does very little to prevent CSRF. Instead of using an image, they could use an iframe or JavaScript code or anything else that loads a URL.

    --
    http://www.skullsecurity.org/blog/