CSRF Token Information Disclosure in MC

1751

27 April 2021

09 April 2020

CLOSED

Medium

5.9

Summary

The Management Center (MC) web UI is susceptible to a CSRF token disclosure vulnerability. A remote attacker, who has access to an authenticated MC user's web browser history or a network device that intercepts/logs traffic to MC, can obtain CSRF tokens and use them to perform CSRF attacks against MC.

 

Affected Product(s)

Management Center (MC)
CVE Supported Version(s) Remediation
CVE-2019-18376 2.2, 2.3 Upgrade to later release with fixes.
2.4 Not vulnerable, fixed in 2.4.1.1.

 

Issue Details

CVE-2019-18376
Severity / CVSS v3.0: Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
References: NVD: CVE-2019-18376
Impact: Information disclosure
Description: A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated MC user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.

 

Mitigation & Additional Information

Leaked CSRF tokens are only valid for the duration of the user session they are issued for. They become invalid and can no longer be used after the user session terminates - the user logs out of the MC web UI, or the session expires due to inactivity. They default session inactivity timeout for the MC web UI is 30 minutes and is configurable through the web UI Administration --> Settings --> System Settings --> General --> Inactivity timeout (minutes) setting.

 

Acknowledgements

  • CVE-2019-18376: Balazs Hambalko, IT Security Consultant

 

Revisions

2020-04-09 initial public release