Feeds

cPanel, Netgear and Linksys susceptible to nasty attack

Unholy trinity

The essential guide to IT transformation

Defcon If you use cPanel to administer your website or certain Linksys or Netgear devices to route traffic over your wireless network, you're susceptible to web-based attacks that could take complete control of your systems, two security researchers said Saturday.

All three wares contain CSRF, or cross-site request forgery, holes that can be exploited when the user does nothing more than surf to the wrong site. Web-application security experts Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org said they've alerted officials at all three companies to the weaknesses and so far all have failed to fix them.

"CSRF is bad stuff," Bailey told a standing-room-only audience at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means that we have these kinds of holes all over."

CSRF attacks are web-based sleights of hand that exploit the trust sensitive web-based services have in users who have previously logged in. Third-party websites under the control of a CSRF attack permit these users to take actions they never intended, such as executing online financial transactions or revealing passwords. Because the user is already logged in, no password is necessary.

The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications. The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.

"If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."

Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."

Representatives from cPanel, Netgear and Linksys weren't immediately available for comment. This article will be updated if they can be reached and provide a response.

The CSRF attacks also affect the WRT160N model router made by Linksys. If you happen to be logged in to its administration page and surf to the wrong site, it can be hijacked. A similar vulnerability affects Netgear's RP614v4, said McRee, who posted a video available here that shows an exploit in action. What's more, because router vendors use the same code base across their product lineups, it's likely additional models are vulnerable, he said.

The attacks are difficult to prevent. While the NoScript extension for Firefox blocks a significant number of web-based attacks, Bailey described a now-fixed vulnerability in ESPN.com that could have allowed customer profiles to be hijacked that he said the plugin was powerless to stop.

Defcon attendee and security researcher Justin Samuel said a Firefox extension called RequestPolicy blocks the vast majority of CSRF attacks, and while we have no reason to doubt that, we haven't had a chance to verify the claim.

A longer-term and more comprehensive fix may come in the form of a specification proposed by the Mozilla foundation. It would allow banks, merchants and other organizations with sensitive websites to define certain security policies that would be carried out by the browser. For example, site developers could list an explicit set of domains allowed to issue javascript, so that code embedded in sites that aren't specifically white-listed would not be executed.

Other mitigation strategies that can help tame the CSRF (often pronounced "sea surf") menace include the use of CAPTCHAs and re-authentication scripts.

Of course, the best defense is for vendors to fix their buggy products, but as the researchers reported, that doesn't always happen. ®

Update

cPanel has published this response on its website that says in part: "Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified."

The company reminds users to protect themselves by taking the following measures:

  • Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
  • Avoid opening SPAM, Websites, or clicking on links that you do not trust especially URL shortening services found on many social media sites.
  • Update your current passwords within cPanel on a regular basis and maintain strong password discipline.

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?