Security Appliance Vendors Blasé About CSRF FlawsBy Lisa Vaas | Posted 2007-07-03 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
News Analysis: Researchers say security appliance makers are being lax about fixing an arcane vulnerability.Security appliance makers are shrugging off CSRF (cross-site request forgery) vulnerabilities in their productsproducts that sit at the crossroads of enterprise protection.
The vulnerable appliances, unified threat management products, "certainly are an important part of an enterprise's security," said Billy Hoffman, lead researcher for SPI Dynamics' SPI Labs, in Atlanta. "I'm kind of surprised [that appliance vendors have been dismissive of the CSRF flaws]I'd be surprised if there were not people inside the [organizations] that are saying, 'We need to fix this.'"
On July 26, security firm Calyptix announced the CSRF flaws, which the company said it had found on eight vendors' UTM appliances. Check Point, one of the eight vendors, on the same day announced an update to multiple versions of its Safe@Office UTM device that had been vulnerable to the problem.
Of the seven other UTM vendors, reaction has been close to nil. Only one told eWEEK that the vulnerability had been addressed, and another told Calyptix that the vulnerability is being investigated. While their products remain vulnerableor, at the least, until the vendors respond to eWEEK's queries as to whether they're investigating and can confirm or deny their products' vulnerabilityCalyptix and eWEEK are refraining from naming the vendors, in the spirit of responsible disclosure.
One vendor whose spokesman said the vulnerability has been fixed, eSoft, was irked enough by Calyptix's claims to file a complaint against the company with CERT. "Not sure what [Calyptix is] up to, but they definitely did not do their homework," said the spokesman, in an e-mail exchange. "We complained to CERT, because [Calyptix] 'cried wolf' to CERT as well."
The spokesman said that eSoft has already fixed the CSRF vulnerability, although he told eWEEK he couldn't recall when.