===================================================== Authenticated XSRF leads to complete Account Takeover ===================================================== . contents:: Table Of Content Overview ======== Title:- Authenticated XSRF leads to complete account takeover in all SYSTORME ISG Products. CVE ID:- CVE-2018-19525 Author: Kaustubh G. Padwad Vendor: Systrome Networks (http://systrome.com/about/) Products: 1.ISG-600C 2.ISG-600H 3.ISG-800W Tested Version: : ISG-V1.1-R2.1_TRUNK-20180914.bin(Respetive for others) Severity: High--Critical Advisory ID ============ KSA-Dev-002 About the Product: ================== Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and small enterprises, branch interconnection, and chain enterprises. Description: ============ An issue was discovered on Systrome ISG-600C,ISG-600H, and ISG-800W 1.1-R2.1_TRUNK-20180914.bin devices. There is CSRF via /ui/?g=obj_keywords_add and/ui/?g=obj_keywords_addsave with resultant XSS because of a lack of csrf token validation. Additional Information ====================== The web interface of the ISG-Firewalls does not validate the csrftoken,and the ?g=obj_keywords_add page does not properly sanitize the user input which leads to xss, By combining this two attack we can form the XSRF request which leads to complete account takeover using XSRF. [Vulnerability Type] ==================== Cross Site Request Forgery (CSRF) How to Reproduce: (POC): ========================
[Affected Component] obj_keywords_add ,obj_keywords_addsave, CSRF Vulnerabilities, ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] once victim open the crafted url the device will get compromise Mitigation ========== vendr is working on the same he will submit the solution maybe by december 1st weak. Disclosure: =========== 02-Nov-2018 Discoverd the Vulnerability 15-Nov-2018 Reported to vendor 25-Nov-2018 Requested for CVE/Cve's. 26-Nov-2018 CVE-Assign [Vendor of Product] Systrome Networks (http://systrome.com/about/) credits: ======== * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://s3curityb3ast.github.io/ * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad