NN-2020:2-01

Cross-site request forgery attack on change password form

Last update: 2024-05-20

Advisory IDNN-2020:2-01
TopicCross-site request forgery attack on change password form
CWE ImpactCWE-352: Cross-Site Request Forgery (CSRF)
Issue date2020-05-26
AffectsGuardian, CMC between v19.0.4 and v20.0.3
CVE Name(s)NA
CVSS DetailsCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score8.6 (CVSS v4.0)
8.8 (CVSS v3.1)
CVE Risk LevelHigh (CVSS v4.0)
High (CVSS v3.1)
Risk Level for Nozomi customersMedium

Summary

Change password doesn't validate CSRF token properly.

Impact

An attacker can force the victim to change password without knowing. To successfully complete this attack the victim needs to be logged to the Guardian/CMC and visit a special prepared page containing the forged change password request. The change password request will be logged to the internal Guardian/CMC audit log and the victim session will be terminated. The attacked must have Guardian/CMC reachability to login into the system after a successful attack. Guardian/CMC starting from v19.0.4 are affected, versions before v19.0.4 are NOT affected.

Affected Products

Guardian, CMC between v19.0.4 and v20.0.3

Workarounds and Mitigations

Users should always pay attention to phishing emails and un-trusted links.

Solutions

v19 series: Upgrade to v19.0.11 v20 series: Upgrade to v20.0.3

Modification History

2020-05-26: Initial revision
2023-09-04: Minor updates to format and metadata to improve the CSAF implementation
2023-11-13: Migrated to CSAF VEX format
2023-11-16: CSAF vers improvements
2024-05-20: Added CVSS v4.0 scoring where applicable

Related Links

Acknowledgements

We thank the following parties for their efforts:

  • Schneider Electric Industry Services for finding this bug

Contact

Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.