CSRF Token Information Disclosure in MC
Summary
The Management Center (MC) web UI is susceptible to a CSRF token disclosure vulnerability. A remote attacker, who has access to an authenticated MC user's web browser history or a network device that intercepts/logs traffic to MC, can obtain CSRF tokens and use them to perform CSRF attacks against MC.
Affected Product(s)
| Management Center (MC) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2019-18376 | 2.2, 2.3 | Upgrade to later release with fixes. |
| 2.4 | Not vulnerable, fixed in 2.4.1.1. | |
Issue Details
| CVE-2019-18376 | |
| Severity / CVSS v3.0: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References: | NVD: CVE-2019-18376 |
| Impact: | Information disclosure |
| Description: | A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated MC user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC. |
Mitigation & Additional Information
Leaked CSRF tokens are only valid for the duration of the user session they are issued for. They become invalid and can no longer be used after the user session terminates - the user logs out of the MC web UI, or the session expires due to inactivity. They default session inactivity timeout for the MC web UI is 30 minutes and is configurable through the web UI Administration --> Settings --> System Settings --> General --> Inactivity timeout (minutes) setting.
Acknowledgements
- CVE-2019-18376: Balazs Hambalko, IT Security Consultant
Revisions
2020-04-09 initial public release