TID-322: Cross Site Request Forgery (CSRF)

Threat Description

If a threat actor can include malicious JavaScript within a page viewed by a legitimate device user, that script can send malicious authenticated HTTP requests (using XMLHttpRequest) to the device. Due to the Same Origin Policy defined by most web browsers, the HTTP requests sent to the device will include any valid session tokens the user/browser has previously established for that device. Therefore, this could be used to send malicious requests to a device to change key functions or configurations, including changing device credentials. This requires that the threat actor tricks the user into viewing another page while they have an authenticated session with the device.

Threat Maturity and Evidence

Observed Adversarial Technique
Router Exploit Kits: An overview of RouterCSRF attacks and DNS hijacking in Brazil
“From February 1 until March 30, 2019, Avast’s Web Shield blocked more than 4.6 million cross-site request forgery (CSRF) web-based attacks in Brazil, attempting to silently modify DNS settings on routers.”

Web-based attack targeting home routers, the Brazilian way
“We spotted an interesting attack from Brazilian bad guys aiming to change the DNS settings of home routers by using a web-based attack, some social engineering, and malicious websites. In these attacks the malicious DNS servers configured in the user’s network device are pointed towards phishing pages of Brazilian Banks, programmed to steal financial credentials.”

CWE

CWE-352: Cross-Site Request Forgery (CSRF) (Compound)
“The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.”

CVE

XZERES 442SR Wind Turbine CSRF Vulnerability - CVE-2015-3950 “The 442SR OS recognizes both the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to be changed. The default user has admin rights to the entire system.”

Fox DataDiode Proxy Server CSRF Vulnerability - CVE-2014-2358
“The administrative web interface of the Fox DataDiode proxy server is vulnerable to CSRF. By changing the configuration, the attacker can effectively disrupt the flow of information through the Fox DataDiode, resulting in a DoS.”

Siemens SIMATIC S7-1200 CSRF Vulnerability - CVE-2015-5698
“The integrated web server (Port 80/TCP and Port 443/TCP) of the affected programmable logic controllers (PLCs) could allow remote attackers to perform actions with the permissions of a victim user, provided the victim user has an active session and is induced to trigger the malicious request.”

Schneider Electric ION Power Meter CSRF Vulnerability
“NCCIC/ICS-CERT is aware of a public report of a cross site request forgery (CSRF) vulnerability with proof-of-concept (PoC) exploit code affecting Schneider Electric’s ION Power Meter products. According to this report, exploitation of this vulnerability can allow unauthorized actions on the device, such as configuration parameter changes and saving modified configuration.”

NetComm Wireless 4G LTE Light Industrial M2M Router - CVE-2018-14783
“A cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.”