Calyptix Security Advisory CX-2007-05 - eSoft InstaGate EX2 Cross-Site Request Forgery Attack
Calyptix Security Advisory CX-2007-05
eSoft InstaGate EX2 Cross-Site Request Forgery Attack
Date: 07/11/2007
http://www.calyptix.com/
http://labs.calyptix.com/CX-2007-05.php
http://labs.calyptix.com/CX-2007-05.txt
[ Overview ]
Multiple versions of eSoft's InstaGate EX2 UTM device are
vulnerable to cross-site request forgery. The vulnerable
firmwares include 3.1.20031001, 3.1.20060921, and 3.1.20070605.
Other eSoft products were not tested.
This vulnerability allows an attacker to run commands on the web
interface if the attacker can get the eSoft user to view a hostile
web page while logged into his eSoft. These actions could include
opening up remote access.
There are additional problems which are bad on their own, and
also exacerbate the CSRF vulnerability:
1. A logged-in user can change the admin password without
knowing the existing password.
2. The current admin password is visible in the source of the
administrator's setting page.
3. The device provides no mechanism for logging out. (Closing
your browser completely will usually accomplish this, although
the device does not tell you this.)
[ Risk ]
Calyptix Security has classified this vulnerability as
'Medium-to-High Risk', based on the exacerbating conditions.
This attack requires the attacker to know the URL that is used to
manage the device. While this could conceivably be hard to guess,
in practice many are given addresses at the start of RFC 1918
address spaces, such as 10.0.0.1 or 192.168.0.1. The attacker can
try several addresses simultaneously.
[ Patch / Fix / Workaround ]
Versions including and after 3.1.20070615 have taken defenses against
the CSRF attack, as well as addressing all three of the mitigating
circumstances listed above.
Note that this is not the "most recent software for the InstaGate" as
listed at http://support.esoft.com . That listed version is vulnerable.
Please check to be sure that your version number is at least 3.1.20070615.
Some fixes may also be in 3.1.20070610, the release notes of which
indicate "added functionality to improve GUI security." eSoft's
spokesman "couldn't recall when" the fix had been made:
http://www.eweek.com/article2/0,1759,2154646,00.asp
Please be aware that many products have this vulnerability. Even if
you use devices besides InstaGate, you are advised to follow these
steps to reduce your exposure.
1. Use web management in isolation. Each browser instance should
only connect to one device's web interface. Do not operate
multiple windows or tabs when managing a device.
As a suggested approach, you could use Firefox to browse the web
while using Internet Explorer to manage only your firewall. You
could also run your favorite browser inside of a virtual machine.
2. Log out of your web interface when not using it, and configure
its inactivity timeouts.
3. Update to the latest version of your product's software. CSRF
attacks have only recently gained popularity, so any device more
than a few years old is very likely to be vulnerable to them.
4. Disable JavaScript. Note that many devices and websites require
JavaScript to be enabled. Authorizing sites on a case-by-case
basis to use JavaScript can significantly reduce this
vulnerability. (Please note that there may still be ways of
exploiting this without JavaScript, but they generally involve
social engineering or a poorly designed web interface.)
5. Operate your web management interface on a non-standard address
and/or port. (Please note that this is security through
obscurity, and although it may protect you from general attacks,
anyone targeting you will likely be able to figure out the
address.)
[ Analysis ]
Many web sites and web products use persistent authentication.
After the user logs in, all future requests are automatically
granted access. A common way of doing this is to give the browser a
cookie, which it automatically supplies with every request. The
server checks for the existence of this cookie on all important
actions.
A hostile web page can contain an invisible copy of the form that
the firewall's web interface uses to, for example, create a new
user. The form can be submitted without any action required on the
end user's part. The browser will make the submission,
automatically including the cookie. The server sees the cookie and
processes the request as if the end user made it naturally.
There are other methods of persistent authentication besides
cookies; some of these are also vulnerable to CSRF, others are not.
[ Disclosure Timeline ]
06/13/2007: Vulnerability discovered
06/14/2007: eSoft emailed (to info@ and suggestions@; security@ bounces)
06/22/2007: eSoft emailed again (to pr@, sales@, support@)
07/03/2007: eSoft responds through media as having fixed it
07/10/2007: version 3.1.20070615 confirmed to be secure
07/11/2007: Calyptix releases advisory
[ Version Clarification ]
We originally tested the 3.1.20060921 firmware version and believed
it to be up-to-date, because it self-reported as being so when in
contact with their website. We have since discovered that this was
because the software update license (although not the hardware
license) had expired. We regret the error, but despite multiple offers
to talk with us about this, eSoft never responded directly. If they
had, we could have handled this in a more straightforward manner.
The single most curious claim is that we tested a "custom build."
This sounds nasty and nefarious, but the first firmware version
we tested was visible in a Yahoo!'s archive of their support
website until very recently, and all versions we tested are visible
in the Internet Archive:
Yahoo! cache: http://labs.calyptix.com/images/esoft-yahoo.png
Archive of 3.1.20031001:
http://preview.tinyurl.com/ysocdc
(links to web.archive.org/web/20040105172943/esoft.custhelp.com/
cgi-bin/esoft.cfg/php/enduser/std_alp.php?p_gridsort=faqs.upd
ated:D&p_prod_lvl1=17 )
(screenshot at http://labs.calyptix.com/images/esoft-20031001.png )
Archive of 3.1.20060921
http://preview.tinyurl.com/2psonk
(links to web.archive.org/web/20070308143458/http://
knowplex.fusedsolutions.com/selfservice/esoft.cfm)
(screenshot at http://labs.calyptix.com/images/esoft-20060921.png )
[ Credit ]
Daniel Weber of Calyptix Security discovered and confirmed that this
vulnerability can be exploited.
[ Contact ]
You can contact Calyptix Security about this vulnerability by e-mailing
advisories2007@xxxxxxxxxxxx
[ Additional Information ]
Information about this generic class of attack, as well as information
on the bug in other vendors' products, is at
http://labs.calyptix.com/csrf-tracking.php
[ About Calyptix Security ]
Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina. Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden
costs.
[ Legal Notice ]
Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification. This advisory may not be modified without the
express written consent of Calyptix Security. If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email
advisories2007@xxxxxxxxxxxx for such permission.
The information in this advisory is believed to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to any information
in this advisory. None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.