SA46 : ProxyAV Cross Site Request Forgery vulnerability
1209
03 March 2020
22 October 2010
CLOSED
HIGH
CVSS v2: 9.3
SUMMARY
A remote attacker can use URL links and/or malicious scripts to execute ProxyAV commands if the administrator has an active session in the ProxyAV management console.
AFFECTED PRODUCTS
All ProxyAV products prior to 3.2.6.1 are vulnerable.
ProxyAV 3.2 - a fix is available in 3.2.6.1 or later versions.
ProxyAV 3.1 and earlier - please upgrade to a later version.
ISSUES
An attacker who lures a ProxyAV administrator to browse a malicious website can use Cross-Site Request Forgery (CSRF or XSRF) to submit commands to ProxyAV and gain control of the appliance. Commands that the attacker can submit include changing the password, changing the policy, and restarting the appliance.
CVSS v2 base score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ProxyAV has implemented the following measures to provide better protection from CSRF attacks:
- When changing the administrator password, the current password must be entered.
- When disabling authentication, the current password must be entered.
- All requests that modify or set configuration are submitted through POST.
- The session timeout is enforced across all supported browsers (Internet Explorer version 6.0 and above and Firefox version 3.6 and above).
- A logout option has been provided in the management console that will terminate the session.
MITIGATION
Customers can limit the impact of this vulnerablity in these ways:
- Ensure the session timeout value is set to a value greater than 0 to enforce automatic session expiration. By default this value is set to 10 minutes.
- Manage ProxyAV using a dedicated machine that does not connect to any other internal or external websites.
- Use only supported browsers to access the management console.
- When management tasks have been completed, log out of the session using the newly supplied logout option.