Calyptix Security Advisory CX-2007-05 eSoft InstaGate EX2 Cross-Site Request Forgery Attack Date: 07/11/2007 http://www.calyptix.com/ http://labs.calyptix.com/CX-2007-05.php http://labs.calyptix.com/CX-2007-05.txt [ Overview ] Multiple versions of eSoft's InstaGate EX2 UTM device are vulnerable to cross-site request forgery. The vulnerable firmwares include 3.1.20031001, 3.1.20060921, and 3.1.20070605. Other eSoft products were not tested. This vulnerability allows an attacker to run commands on the web interface if the attacker can get the eSoft user to view a hostile web page while logged into his eSoft. These actions could include opening up remote access. There are additional problems which are bad on their own, and also exacerbate the CSRF vulnerability: 1. A logged-in user can change the admin password without knowing the existing password. 2. The current admin password is visible in the source of the administrator's setting page. 3. The device provides no mechanism for logging out. (Closing your browser completely will usually accomplish this, although the device does not tell you this.) [ Risk ] Calyptix Security has classified this vulnerability as 'Medium-to-High Risk', based on the exacerbating conditions. This attack requires the attacker to know the URL that is used to manage the device. While this could conceivably be hard to guess, in practice many are given addresses at the start of RFC 1918 address spaces, such as 10.0.0.1 or 192.168.0.1. The attacker can try several addresses simultaneously. [ Patch / Fix / Workaround ] Versions including and after 3.1.20070615 have taken defenses against the CSRF attack, as well as addressing all three of the mitigating circumstances listed above. Note that this is not the "most recent software for the InstaGate" as listed at http://support.esoft.com . That listed version is vulnerable. Please check to be sure that your version number is at least 3.1.20070615. Some fixes may also be in 3.1.20070610, the release notes of which indicate "added functionality to improve GUI security." eSoft's spokesman "couldn't recall when" the fix had been made: http://www.eweek.com/article2/0,1759,2154646,00.asp Please be aware that many products have this vulnerability. Even if you use devices besides InstaGate, you are advised to follow these steps to reduce your exposure. 1. Use web management in isolation. Each browser instance should only connect to one device's web interface. Do not operate multiple windows or tabs when managing a device. As a suggested approach, you could use Firefox to browse the web while using Internet Explorer to manage only your firewall. You could also run your favorite browser inside of a virtual machine. 2. Log out of your web interface when not using it, and configure its inactivity timeouts. 3. Update to the latest version of your product's software. CSRF attacks have only recently gained popularity, so any device more than a few years old is very likely to be vulnerable to them. 4. Disable JavaScript. Note that many devices and websites require JavaScript to be enabled. Authorizing sites on a case-by-case basis to use JavaScript can significantly reduce this vulnerability. (Please note that there may still be ways of exploiting this without JavaScript, but they generally involve social engineering or a poorly designed web interface.) 5. Operate your web management interface on a non-standard address and/or port. (Please note that this is security through obscurity, and although it may protect you from general attacks, anyone targeting you will likely be able to figure out the address.) [ Analysis ] Many web sites and web products use persistent authentication. After the user logs in, all future requests are automatically granted access. A common way of doing this is to give the browser a cookie, which it automatically supplies with every request. The server checks for the existence of this cookie on all important actions. A hostile web page can contain an invisible copy of the form that the firewall's web interface uses to, for example, create a new user. The form can be submitted without any action required on the end user's part. The browser will make the submission, automatically including the cookie. The server sees the cookie and processes the request as if the end user made it naturally. There are other methods of persistent authentication besides cookies; some of these are also vulnerable to CSRF, others are not. [ Disclosure Timeline ] 06/13/2007: Vulnerability discovered 06/14/2007: eSoft emailed (to info@ and suggestions@; security@ bounces) 06/22/2007: eSoft emailed again (to pr@, sales@, support@) 07/03/2007: eSoft responds through media as having fixed it 07/10/2007: version 3.1.20070615 confirmed to be secure 07/11/2007: Calyptix releases advisory [ Version Clarification ] We originally tested the 3.1.20060921 firmware version and believed it to be up-to-date, because it self-reported as being so when in contact with their website. We have since discovered that this was because the software update license (although not the hardware license) had expired. We regret the error, but despite multiple offers to talk with us about this, eSoft never responded directly. If they had, we could have handled this in a more straightforward manner. The single most curious claim is that we tested a "custom build." This sounds nasty and nefarious, but the first firmware version we tested was visible in a Yahoo!'s archive of their support website until very recently, and all versions we tested are visible in the Internet Archive: Yahoo! cache: http://labs.calyptix.com/images/esoft-yahoo.png Archive of 3.1.20031001: http://preview.tinyurl.com/ysocdc (links to web.archive.org/web/20040105172943/esoft.custhelp.com/ cgi-bin/esoft.cfg/php/enduser/std_alp.php?p_gridsort=faqs.upd ated:D&p_prod_lvl1=17 ) (screenshot at http://labs.calyptix.com/images/esoft-20031001.png ) Archive of 3.1.20060921 http://preview.tinyurl.com/2psonk (links to web.archive.org/web/20070308143458/http:// knowplex.fusedsolutions.com/selfservice/esoft.cfm) (screenshot at http://labs.calyptix.com/images/esoft-20060921.png ) [ Credit ] Daniel Weber of Calyptix Security discovered and confirmed that this vulnerability can be exploited. [ Contact ] You can contact Calyptix Security about this vulnerability by e-mailing advisories2007@calyptix.com [ Additional Information ] Information about this generic class of attack, as well as information on the bug in other vendors' products, is at http://labs.calyptix.com/csrf-tracking.php [ About Calyptix Security ] Calyptix Security, founded in 2002, is located in Charlotte, North Carolina. Our Unified Threat Management (UTM) product, the AccessEnforcer (TM), is used by customers to protect their network infrastructure from security threats and is the only security appliance in the market that deploys DyVax (TM), our patent-pending signatureless inspection engine. The AccessEnforcer provides our customers all available gateway security features, including VPN, Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and IM management, for a single price with no add-ons and no hidden costs. [ Legal Notice ] Calyptix Security grants each recipient of this advisory permission to redistribute this advisory in electronic or other written medium without modification. This advisory may not be modified without the express written consent of Calyptix Security. If the recipient wishes to modify the advisory in any manner or redistribute the contents of this advisory other than by way of an exact written or electronic transmission hereof, please email advisories2007@calyptix.com for such permission. The information in this advisory is believed to be accurate at the time of publication based upon currently available information. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to any information in this advisory. None of the author, the publisher nor Calyptix Security (nor any of their employees, affiliates or agents) accepts or has any liability for any direct, indirect or consequential loss or damage arising from the use of, or reliance on, any information contained in this advisory. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/