Source: cve@mitre.org
Cross-site request forgery (CSRF) vulnerability in the web management interface in httpd/cgi-bin/shutdown.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to hijack the authentication of administrators for requests that perform a reboot via a request to cgi-bin/shutdown.cgi.
Smoothwall Express 3.1 and earlier is vulnerable to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to remotely reboot the system by tricking an authenticated administrator into clicking a malicious link. This vulnerability could lead to denial-of-service (DoS) and potential system compromise if the reboot is followed by other attacks. Successful exploitation requires an administrator to be logged into the Smoothwall web interface and to click a crafted link.
Step 1: Victim Authentication: An administrator is logged into the Smoothwall Express web management interface.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page, email, or other delivery method containing a request to cgi-bin/shutdown.cgi to reboot the system. This request can be embedded in an <img> tag, a hidden form, or a link.
Step 3: Victim Interaction: The administrator, while logged in, visits the attacker's malicious page or clicks the crafted link or opens the email.
Step 4: Request Execution: The administrator's browser, already authenticated to Smoothwall, sends the reboot request to cgi-bin/shutdown.cgi.
Step 5: Exploitation: The shutdown.cgi script, lacking CSRF protection, processes the request and initiates a system reboot.
Step 6: Denial of Service: The system reboots, causing a temporary denial of service. Subsequent attacks could be launched after the reboot.
The vulnerability stems from a lack of CSRF protection in the shutdown.cgi script. The script, responsible for initiating a system reboot, doesn't validate the origin of the request. An attacker can craft a malicious HTML page or email containing an <img> tag or a hidden form that, when loaded or submitted by an authenticated administrator, triggers the reboot function. The absence of a CSRF token or any other mechanism to verify the request's authenticity allows the attacker to execute arbitrary actions on behalf of the administrator. The root cause is a missing security check in the shutdown.cgi script, specifically the lack of validation of the request's origin and the absence of a unique, per-session token to prevent unauthorized requests. This allows an attacker to control the system's reboot functionality.
While no specific APTs are directly linked to this CVE, the ease of exploitation and the potential for DoS make it attractive to various threat actors. This vulnerability could be leveraged as part of a larger attack chain. This CVE is not listed on the CISA KEV list.
Monitor web server logs for requests to cgi-bin/shutdown.cgi from unexpected sources or with unusual user-agent strings.
Analyze network traffic for HTTP POST requests to cgi-bin/shutdown.cgi without proper CSRF tokens or origin validation.
Implement intrusion detection system (IDS) rules to flag suspicious activity related to cgi-bin/shutdown.cgi.
Monitor for system reboots outside of scheduled maintenance windows.
Upgrade to Smoothwall Express 3.2 or later, which likely includes a fix for this vulnerability.
Implement a web application firewall (WAF) to filter malicious requests to cgi-bin/shutdown.cgi.
Apply the vendor's security patch or workaround if available.
Implement CSRF protection in the shutdown.cgi script, such as using a unique, per-session token.
Disable or restrict access to the web management interface from untrusted networks.
Educate administrators about the dangers of clicking on suspicious links or opening attachments from unknown senders.