CSRF Token Information Disclosure in MC

Summary

The Management Center (MC) web UI is susceptible to a CSRF token disclosure vulnerability. A remote attacker, who has access to an authenticated MC user’s web browser history or a network device that intercepts/logs traffic to MC, can obtain CSRF tokens and use them to perform CSRF attacks against MC.

Affected Product(s)

Management Center (MC)

CVE |Supported Version(s)|Remediation
CVE-2019-18376 | 2.2, 2.3 | Upgrade to later release with fixes.
2.4 | Not vulnerable, fixed in 2.4.1.1.

Issue Details

CVE-2019-18376

Severity / CVSS v3.0: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2019-18376 Impact:| Information disclosure Description: | A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated MC user’s web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC.

Mitigation & Additional Information

Leaked CSRF tokens are only valid for the duration of the user session they are issued for. They become invalid and can no longer be used after the user session terminates - the user logs out of the MC web UI, or the session expires due to inactivity. They default session inactivity timeout for the MC web UI is 30 minutes and is configurable through the web UI Administration –> Settings –> System Settings –> General –> Inactivity timeout (minutes) setting.

Acknowledgements

• CVE-2019-18376: Balazs Hambalko, IT Security Consultant

Revisions

2020-04-09 initial public release