Calyptix Security Advisory CX-2007-04
Cross-Site Request Forgery Attack Against Check Point Safe@Office
[ Overview ]
Multiple versions of Check Point's Safe@Office UTM device are
vulnerable to cross-site request forgery. The test firmware was
version 7.0.39x, the latest available for the Safe@Office model.
Cursory testing shows that prior version 5.0.82x was also
vulnerable. Other Check Point products were not tested.
This vulnerability allows an attacker to run commands on the web
interface if the attacker can get the Check Point user to view a
hostile web page while logged into his Check Point device. These
actions could include opening up remote access.
As a separate but exacerbating vulnerability, a logged-in user can
change the admin password without knowing the existing password.
Please note that this category of attack exists against many
products from many vendors. Calyptix Security is in the process of
contacting vendors with confirmed vulnerabilities and expects to be
releasing additional advisories.
[ Risk ]
Calyptix Security has classified this vulnerability as 'Medium Risk'.
This attack requires the attacker to know the URL that is used to
manage the device. While this could conceivably be hard to guess,
in practice many are given addresses at the start of RFC 1918
address spaces, such as 10.0.0.1 or 192.168.0.1. The attacker can
try several addresses simultaneously.
Furthermore, if the user has not changed from the default password,
the attacker does not need the user to have explicitly logged into
his Check Point for this attack to succeed.
[ Patch / Fix / Workaround ]
Check Point has released the Safe@Office firmware version Embedded
NGX 7.0.45 GA Release to resolve this issue. The release notes
for this firmware version can be found at:
Please be aware that many products have this vulnerability. Even if
you use devices besides Safe@Office, you are advised to follow these
steps to reduce your exposure.
1. Use web management in isolation. Each browser instance should
only connect to one device's web interface. Do not operate
multiple windows or tabs when managing a device.
As a suggested approach, you could use Firefox to browse the web
while using Internet Explorer to manage only your firewall. You
could also run your favorite browser inside of a virtual machine.
2. Log out of your web interface when not using it, and configure
its inactivity timeouts.
3. Update to the latest version of your product's software. CSRF
attacks have only recently gained popularity, so any device more
than a few years old is very likely to be vulnerable to them.
vulnerability. (Please note that there may still be ways of
social engineering or a poorly designed web interface.)
5. Operate your web management interface on a non-standard address
and/or port. (Please note that this is security through
obscurity, and although it may protect you from general attacks,
anyone targeting you will likely be able to figure out the
[ Analysis ]
Many web sites and web products use persistent authentication.
After the user logs in, all future requests are automatically
granted access. A common way of doing this is to give the browser a
cookie, which it automatically supplies with every request. The
server checks for the existence of this cookie on all important
A hostile web page can contain an invisible copy of the form that
the firewall's web interface uses to, for example, create a new
user. The form can be submitted without any action required on the
end user's part. The browser will make the submission,
automatically including the cookie. The server sees the cookie and
processes the request as if the end user made it naturally.
There are other methods of persistent authentication besides
cookies; some of these are also vulnerable to CSRF, others are not.
[ Disclosure Timeline ]
06/05/2007 Vulnerability discovered in version 5.0.82x
06/14/2007 Vulnerability confirmed in version 7.0.39x
06/14/2007 Check Point and SofaWare contacted
06/17/2007 Check Point responds, acknowledges, tells us of planned fix
06/26/2007 Check Point releases fix, SofaWare makes announcement
06/26/2007 Calyptix releases advisory
[ Credit ]
Daniel Weber of Calyptix Security discovered and confirmed that this
vulnerability can be exploited.
[ Contact ]
You can contact Calyptix Security about this vulnerability by e-mailing
[ About Calyptix Security ]
Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina. Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden
[ Legal Notice ]
Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification. This advisory may not be modified without the
express written consent of Calyptix Security. If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email
firstname.lastname@example.org for such permission.
The information in this advisory is believed to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to any information
in this advisory. None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.