Security Appliance Vendors Blasé About CSRF Flaws

By Lisa Vaas  |  Posted 2007-07-03 Email Print this article Print

News Analysis: Researchers say security appliance makers are being lax about fixing an arcane vulnerability.

Security appliance makers are shrugging off CSRF (cross-site request forgery) vulnerabilities in their products—products that sit at the crossroads of enterprise protection.

The vulnerable appliances, unified threat management products, "certainly are an important part of an enterprise's security," said Billy Hoffman, lead researcher for SPI Dynamics' SPI Labs, in Atlanta. "I'm kind of surprised [that appliance vendors have been dismissive of the CSRF flaws]—I'd be surprised if there were not people inside the [organizations] that are saying, 'We need to fix this.'"

On July 26, security firm Calyptix announced the CSRF flaws, which the company said it had found on eight vendors' UTM appliances. Check Point, one of the eight vendors, on the same day announced an update to multiple versions of its Safe@Office UTM device that had been vulnerable to the problem.

Of the seven other UTM vendors, reaction has been close to nil. Only one told eWEEK that the vulnerability had been addressed, and another told Calyptix that the vulnerability is being investigated. While their products remain vulnerable—or, at the least, until the vendors respond to eWEEK's queries as to whether they're investigating and can confirm or deny their products' vulnerability—Calyptix and eWEEK are refraining from naming the vendors, in the spirit of responsible disclosure.

One vendor whose spokesman said the vulnerability has been fixed, eSoft, was irked enough by Calyptix's claims to file a complaint against the company with CERT. "Not sure what [Calyptix is] up to, but they definitely did not do their homework," said the spokesman, in an e-mail exchange. "We complained to CERT, because [Calyptix] 'cried wolf' to CERT as well."

The spokesman said that eSoft has already fixed the CSRF vulnerability, although he told eWEEK he couldn't recall when.

Read the full story on Security Appliance Vendors Blasé About CSRF Flaws

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters