A bug has cropped up in security devices from Check Point and seven other vendors that could allow attackers to take control of the devices, according to Calyptix Security.
The vulnerability allows what's called a cross-site request forgery (CSRF) - a type of attack that has not received much attention to date, but which has been spotted in large websites such as Amazon.com, Digg.com and Google's AdSense.
Calyptix said the bugs affect eight devices, including Check Point's Safe@Office unified threat management (UTM) device. Check Point is so far the only vendor notified by Calyptix that has responded by issuing a patch for the bug, Calyptix said.
CSRF, also known as a one-click attack or session riding, is related to cross-site scripting (XSS), but unlike that attack doesn't require the attacker to inject unauthorised code into a site.
Rather, CSRF allows the attacker to pose as a trusted user of the website. For instance, a CSRF vulnerability in Amazon.com is said to allow the malicious site to pose as a known customer and purchase items through the site's One-Click feature.
Chris Shiflett, web application security lead at internet consulting firm OmniTI, which discovered the Amazon.com flaw, said it was still open a year after he informed Amazon about it.
Calyptix's discovery may force security professionals to pay more attention to CSRF. The bugs allow an attacker to run commands on the device's web interface if the attacker can get the user to view a hostile web page while logged into his device.
"These actions could include opening up remote access," Calyptix said in its advisory.
Calyptix noted that logged-in users can change the administration password on the Check Point device without knowing the existing password, adding to the damage that an attacker could cause via the CSRF bug.
The bug affected the most recent version of the Check Point UTM, but earlier versions might also be affected, Calyptix said.
A factor making the bug somewhat less dangerous is that the attacker must know the URL used to manage the device.
"While this could conceivably be hard to guess, in practice many are given addresses at the start of RFC 1918 address spaces, such as 10.0.0.1 or 192.168.0.1," the company noted. "The attacker can try several addresses simultaneously."
If the user has not changed the device from its default password, the attacker does not need the user to have "explicitly" logged into the Check Point device for the attack to succeed, Calyptix said.