Flaw threatens most SMB security devices

A flaw affecting eight vendors' Universal Threat Management (UTM) security appliances was identified by US-based security firm Calyptix last week.

Calyptix said the UTM devices are vulnerable to a Cross-Site Request Forgery (CSRF) attack, which means an attacker could gain control of the security device -- but only if the device administrator was tricked into simultaneously viewing a hostile Web page while logged into the device.

One of the affected devices is Check Point's Safe@Office, which on Friday was the only vendor to have issued a patch for the flaw. Calyptix would not release the names of other vendors until the organisations had released a patch for the flaw.

The vulnerability is a "serious threat", according to Ty Miller, chief technician at penetration-testing specialists, Pure Hacking.

"[It] allows an attacker to exploit an authenticated section of a Web application without them requiring authentic credentials," said Miller.

Industry analyst, James Turner of IBRS Consulting, said that while the vulnerability is serious, the risk of being attacked is low because only smaller organisations typically see the vulnerable devices and the vulnerability is difficult to exploit.

"I can imagine there are easier ways of achieving a result. Some large enterprises will have deployed UTMs at remote sites but really no large enterprise is going to be using UTMs.

Turner also believes there is "safety in numbers" because UTM use is widespread: "Statistically that reduces everyone's likelihood of being attacked, which is cold comfort for those that get attacked using this vector."

Calyptix advises users to disable JavaScript and warns against operating multiple tabs when managing a device. The company also recommends that the Web management interface should be run on a non-standard address. In addition, it warns that any device more than a few years old will likely be vulnerable to the flaw.