Calyptix Security Advisory CX-2007-04 Cross-Site Request Forgery Attack Against Check Point Safe@Office Device Date: 06/26/2007 http://www.calyptix.com/ http://labs.calyptix.com/CX-2007-04.php http://labs.calyptix.com/CX-2007-04.txt [ Overview ] Multiple versions of Check Point's Safe@Office UTM device are vulnerable to cross-site request forgery. The test firmware was version 7.0.39x, the latest available for the Safe@Office model. Cursory testing shows that prior version 5.0.82x was also vulnerable. Other Check Point products were not tested. This vulnerability allows an attacker to run commands on the web interface if the attacker can get the Check Point user to view a hostile web page while logged into his Check Point device. These actions could include opening up remote access. As a separate but exacerbating vulnerability, a logged-in user can change the admin password without knowing the existing password. Please note that this category of attack exists against many products from many vendors. Calyptix Security is in the process of contacting vendors with confirmed vulnerabilities and expects to be releasing additional advisories. [ Risk ] Calyptix Security has classified this vulnerability as 'Medium Risk'. This attack requires the attacker to know the URL that is used to manage the device. While this could conceivably be hard to guess, in practice many are given addresses at the start of RFC 1918 address spaces, such as 10.0.0.1 or 192.168.0.1. The attacker can try several addresses simultaneously. Furthermore, if the user has not changed from the default password, the attacker does not need the user to have explicitly logged into his Check Point for this attack to succeed. [ Patch / Fix / Workaround ] Check Point has released the Safe@Office firmware version Embedded NGX 7.0.45 GA Release to resolve this issue. The release notes for this firmware version can be found at: http://www.sofaware.com/supportDownloads.aspx?boneId=182 (Registration required) Please be aware that many products have this vulnerability. Even if you use devices besides Safe@Office, you are advised to follow these steps to reduce your exposure. 1. Use web management in isolation. Each browser instance should only connect to one device's web interface. Do not operate multiple windows or tabs when managing a device. As a suggested approach, you could use Firefox to browse the web while using Internet Explorer to manage only your firewall. You could also run your favorite browser inside of a virtual machine. 2. Log out of your web interface when not using it, and configure its inactivity timeouts. 3. Update to the latest version of your product's software. CSRF attacks have only recently gained popularity, so any device more than a few years old is very likely to be vulnerable to them. 4. Disable JavaScript. Note that many devices and websites require JavaScript to be enabled. Authorizing sites on a case-by-case basis to use JavaScript can significantly reduce this vulnerability. (Please note that there may still be ways of exploiting this without JavaScript, but they generally involve social engineering or a poorly designed web interface.) 5. Operate your web management interface on a non-standard address and/or port. (Please note that this is security through obscurity, and although it may protect you from general attacks, anyone targeting you will likely be able to figure out the address.) [ Analysis ] Many web sites and web products use persistent authentication. After the user logs in, all future requests are automatically granted access. A common way of doing this is to give the browser a cookie, which it automatically supplies with every request. The server checks for the existence of this cookie on all important actions. A hostile web page can contain an invisible copy of the form that the firewall's web interface uses to, for example, create a new user. The form can be submitted without any action required on the end user's part. The browser will make the submission, automatically including the cookie. The server sees the cookie and processes the request as if the end user made it naturally. There are other methods of persistent authentication besides cookies; some of these are also vulnerable to CSRF, others are not. [ Disclosure Timeline ] 06/05/2007 Vulnerability discovered in version 5.0.82x 06/14/2007 Vulnerability confirmed in version 7.0.39x 06/14/2007 Check Point and SofaWare contacted 06/17/2007 Check Point responds, acknowledges, tells us of planned fix 06/26/2007 Check Point releases fix, SofaWare makes announcement 06/26/2007 Calyptix releases advisory [ Credit ] Daniel Weber of Calyptix Security discovered and confirmed that this vulnerability can be exploited. [ Contact ] You can contact Calyptix Security about this vulnerability by e-mailing advisories2007@calyptix.com [ About Calyptix Security ] Calyptix Security, founded in 2002, is located in Charlotte, North Carolina. Our Unified Threat Management (UTM) product, the AccessEnforcer (TM), is used by customers to protect their network infrastructure from security threats and is the only security appliance in the market that deploys DyVax (TM), our patent-pending signatureless inspection engine. The AccessEnforcer provides our customers all available gateway security features, including VPN, Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and IM management, for a single price with no add-ons and no hidden costs. [ Legal Notice ] Calyptix Security grants each recipient of this advisory permission to redistribute this advisory in electronic or other written medium without modification. This advisory may not be modified without the express written consent of Calyptix Security. If the recipient wishes to modify the advisory in any manner or redistribute the contents of this advisory other than by way of an exact written or electronic transmission hereof, please email advisories2007@calyptix.com for such permission. The information in this advisory is believed to be accurate at the time of publication based upon currently available information. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to any information in this advisory. None of the author, the publisher nor Calyptix Security (nor any of their employees, affiliates or agents) accepts or has any liability for any direct, indirect or consequential loss or damage arising from the use of, or reliance on, any information contained in this advisory.