Feeds

cPanel, Netgear and Linksys susceptible to nasty attack

Unholy trinity

The Essential Guide to IT Transformation

Defcon If you use cPanel to administer your website or certain Linksys or Netgear devices to route traffic over your wireless network, you're susceptible to web-based attacks that could take complete control of your systems, two security researchers said Saturday.

All three wares contain CSRF, or cross-site request forgery, holes that can be exploited when the user does nothing more than surf to the wrong site. Web-application security experts Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org said they've alerted officials at all three companies to the weaknesses and so far all have failed to fix them.

"CSRF is bad stuff," Bailey told a standing-room-only audience at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means that we have these kinds of holes all over."

CSRF attacks are web-based sleights of hand that exploit the trust sensitive web-based services have in users who have previously logged in. Third-party websites under the control of a CSRF attack permit these users to take actions they never intended, such as executing online financial transactions or revealing passwords. Because the user is already logged in, no password is necessary.

The vulnerability in cPanel is triggered by luring a user to a malicious website while logged in to the program, which is one of the most widely used web-hosting applications. The attack is able to trick cPanel into carrying out sensitive commands by making it appear as if they came from the victim.

"If you logged in as root and you hit my website or you hit any website I control, I can do anything I want," Bailey said. "I can reset your root password, I can upgrade software, I can modify any setting I want. That's scary and that's bad."

Even more troubling, Bailey continued, was the reply he got when he notified cPanel officials of the bug. "The response I got from cPanel was we can't fix this because it's a feature. Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."

Representatives from cPanel, Netgear and Linksys weren't immediately available for comment. This article will be updated if they can be reached and provide a response.

The CSRF attacks also affect the WRT160N model router made by Linksys. If you happen to be logged in to its administration page and surf to the wrong site, it can be hijacked. A similar vulnerability affects Netgear's RP614v4, said McRee, who posted a video available here that shows an exploit in action. What's more, because router vendors use the same code base across their product lineups, it's likely additional models are vulnerable, he said.

The attacks are difficult to prevent. While the NoScript extension for Firefox blocks a significant number of web-based attacks, Bailey described a now-fixed vulnerability in ESPN.com that could have allowed customer profiles to be hijacked that he said the plugin was powerless to stop.

Defcon attendee and security researcher Justin Samuel said a Firefox extension called RequestPolicy blocks the vast majority of CSRF attacks, and while we have no reason to doubt that, we haven't had a chance to verify the claim.

A longer-term and more comprehensive fix may come in the form of a specification proposed by the Mozilla foundation. It would allow banks, merchants and other organizations with sensitive websites to define certain security policies that would be carried out by the browser. For example, site developers could list an explicit set of domains allowed to issue javascript, so that code embedded in sites that aren't specifically white-listed would not be executed.

Other mitigation strategies that can help tame the CSRF (often pronounced "sea surf") menace include the use of CAPTCHAs and re-authentication scripts.

Of course, the best defense is for vendors to fix their buggy products, but as the researchers reported, that doesn't always happen. ®

Update

cPanel has published this response on its website that says in part: "Security is a top priority for cPanel. In an upcoming update to cPanel, new technology will be provided to mitigate CSRF attacks against cPanel’s products. This new security feature is currently undergoing critical quality assurance testing and will be released once verified."

The company reminds users to protect themselves by taking the following measures:

  • Do not remain logged into any web applications or interfaces while browsing untrusted sites. Always completely log out of browser sessions for sensitive sites when activities have been completed.
  • Avoid opening SPAM, Websites, or clicking on links that you do not trust especially URL shortening services found on many social media sites.
  • Update your current passwords within cPanel on a regular basis and maintain strong password discipline.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.