By Allan Maurer

CHARLOTTE, NC—Calyptix Security discovered a security hole in devices meant to protect Internet users in April that led some companies warned in June to patch their products, others to ignore the threat, and some to question its importance.

Calyptix notified eight security vendors that their products were vulnerable to an attack called cross-site-request-forgery, or CSRF. One company, Israeli-based Check Point Software Technologies issued updates to its affected SafeOffice products.

As a matter of industry protocol, vendors are notified and given time to respond to security flaws before they are identified.

A flurry of articles in the industry press (such as eWeek) debated the significance of the Calyptix discovery and has not completely abated. While some say the CSRF attacks are difficult, Calyptix’s Dan Weber, a security engineer, tells TechJournal South, “It took me less than half an hour to code up an attack.”

Tool can launch attacks
At least one other vendor complained to an eWeek reporter that it had already fixed the flaw, while another dismissed it as too difficult to exploit.

On the other hand, Jeff Williams of the Open Web Applications Security Project (OWASP), who is also CEO of Aspect Security in Columbia, MD, told eWeek, “It’s not a difficult attack. We have a tool that lets you release these attacks fairly quickly.” OWASP ranks CSRF among the top ten most common/or highest risk Web application security flaws. (See: http://www.owasp.org/index.php/Top_10_2007)

The vulnerability affects Unified Threat Management (UTM) devices, routers, and other equipment managed through a Web interface. UTM’s are used by businesses to protect against spam, viruses, hijackings, and other digital threats.

The vulnerability also poses some danger to large Web sites such as Amazon.com, Digg, and Google’s Adsense, security experts say.

Sneaking in silently
Anyone who uses a home wireless router may be familiar with the way the devices are managed through a Web interface with a single address. Many users never bother to even change the access password.

The vulnerability occurs when an Internet user opens a Web site intended to manage a device such as that router or as one broad as a UTM, while simultaneously having another Web site open.

When the user is logged into a vulnerable device and views a hostile web page crafted by an attacker, the attacker can run commands on the device as if they were done by the user.

On the products that Calyptix has tested, these malicious actions include creating new VPN tunnels, adding users, changing passwords, and allowing remote administration – all of which can be done without the user’s knowledge.

Only basic skills needed
Calyptix security experts say anyone with basic Web programming and Javascripting knowledge could prepare such an attack.

Calyptix CEO Ben Yarbrough says, “It’s a very clear hole in security devices people rely on, yet some companies are not taking the measures to stay secure.”

Yarbrough points out that targeted attacks are on the increase and that attackers have grown increasingly sophisticated. They use not only high tech but also social engineering to obtain the information they need to run an attack. “They’re getting more sophisticated with social engineering to create ideal conditions,” he says.

To attack, a bad guy needs to know the URL of the device in question, but they often have means of finding that out.

Yarbrough says they might find out who a company’s IT manager is and send an email spoofing it as from security vendor saying, check this Web site for an alert via an email link. “It doesn’t look nefarious. It asks you to open your browser and check the device in question concurrently.”

Some vendors ignoring warning
What surprises the Calyptix team is that some vendors are apparently ignoring the threat altogether.

“Hardcore security guys say let’s fix it and keep our customers safe,” says Yarbrough. “Others choose not to be as vigilant.”

Meanwhile, Weber suggests that users can protect themselves by being sure to change the password on device management Web sites, and to perform management tasks in isolation with no other Web pages open.

Calyptix Security Corporation was founded in 2002 as a developer of all-in-one security solutions for small and medium businesses. AccessEnforcer, the company’s premier product, is an all-in-one security appliance that deploys DyVax, a proprietary algorithm and inspection engine that has been effectively deployed to dynamically filter email traffic from true zero-day threats without reliance on signatures.

Resources
The official advisory information released by Calyptix is as:

http://labs.calyptix.com/CX-2007-04.php

For a CGISecurity FAQ explaining CRSF in detail, see:

http://www.cgisecurity.com/articles/csrf-faq.shtml

To contact TJS editor Allan Maurer:
allan@techjournalsouth.com

© 2007, TechJournal South. All rights reserved.