Source: cve@mitre.org
Multiple cross-site request forgery (CSRF) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to hijack the authentication of administrators for requests that change the (1) admin or (2) dial password via a request to httpd/cgi-bin/changepw.cgi.
Smoothwall Express 3.1 and 3.0 SP3 are vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing attackers to remotely hijack administrator accounts. Successful exploitation enables attackers to change the administrator's password, granting them unauthorized access and control over the firewall. This can lead to complete system compromise and data exfiltration.
Step 1: Victim Login: The administrator logs into the Smoothwall Express web interface.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or JavaScript code.
Step 3: Payload Delivery: The attacker lures the administrator to visit the malicious page or open the malicious email. This can be achieved through phishing, social engineering, or drive-by downloads.
Step 4: Request Execution: The malicious HTML/JavaScript automatically submits a request to httpd/cgi-bin/changepw.cgi with the desired password change parameters. The request is sent with the administrator's existing session cookies.
Step 5: Password Change: Because the changepw.cgi script lacks CSRF protection, the request is processed, and the administrator's password (or dial-up password) is changed to the attacker's specified value.
Step 6: Account Takeover: The attacker now has the new password and can log in as the administrator, gaining full control of the Smoothwall Express firewall.
The vulnerability stems from a lack of CSRF protection in the changepw.cgi script. This script handles password changes for both the admin and dial-up accounts. The script does not validate the origin of the request, allowing an attacker to craft a malicious request that, when executed by a logged-in administrator, changes the password. The root cause is the absence of a CSRF token or any other mechanism to verify the legitimacy of the request's origin. The script blindly accepts and processes requests, leading to unauthorized password modification.
While no specific APTs are definitively linked to this CVE, the ease of exploitation and the potential impact (complete firewall compromise) make it attractive to various threat actors. This vulnerability could be leveraged by attackers for initial access, lateral movement, or data exfiltration. CISA KEV status: Not Listed
Monitor web server logs for suspicious POST requests to httpd/cgi-bin/changepw.cgi from unexpected sources or with unusual user agents.
Analyze network traffic for POST requests to httpd/cgi-bin/changepw.cgi that do not originate from the Smoothwall Express web interface itself.
Implement intrusion detection systems (IDS) with rules specifically designed to detect CSRF attacks targeting the changepw.cgi script.
Monitor for changes to administrator accounts, including password resets and account modifications.
Upgrade to a patched version of Smoothwall Express that addresses the CSRF vulnerability. (If available)
Implement CSRF protection mechanisms in the changepw.cgi script. This includes using CSRF tokens, verifying the origin of requests, and implementing other security best practices.
Disable or restrict access to the Smoothwall Express web interface from untrusted networks.
Implement multi-factor authentication (MFA) for administrator accounts to mitigate the impact of a compromised password.
Regularly review and audit Smoothwall Express configuration and user accounts.
Consider using a Web Application Firewall (WAF) to filter malicious requests.