5209R/5210R: YUM Updates
Cross-Site Request Forgery (CSRF) protection is now enabled by default in BlueOnyx 5209R and 5210R.
We just published YUM updates for BlueOnyx 5209R and BlueOnyx 5210R which enable Cross-Site Request Forgery (CSRF) protection by default.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like modifying settings, performing transactions within the authenticated session, and so forth. If the victim is an administrative account, CSRF can potentially compromise the entire web application. When CSRF protection is enabled in the GUI, additional protective measures are enabled which are designed to prevent or limit the scope of such attacks.
This is done by inserting a hidden CSRF field into all GUI pages that contains an additional token with fixed expiry time. Upon all transactions this hidden CSRF token is checked for validity. If a transaction with an invalid CSRF token is attempted, then the transaction will not be performed and an error message is shown instead.
CSRF Implementation in BlueOnyx:
After the installation of these YUM updates the CSRF implementation will be enabled automatically with the defaults shown above. All GUI pages such as the login page and all others will have a CSRF token automatically inserted. On form submit transactions (like when you save a page) the CSRF token is checked and if it's absent or doesn't match the expected CSRF token, then an error message is shown and the initiated submit transaction is not executed.
CSRF tokens by default have a validity of 7200 seconds (120 minutes), but you can adjust this value to your own liking.
Alternatively you can tick the checkbox for "Single Use CSRF" instead. In that case each page load or refresh uses a different CSRF token for maximum security. However, this might impact your normal workflow if you usually work with the GUI open in different browser windows or browser tabs. In that case returning to a previously used browser window or browser tab without refresh will result in a CSRF token mismatch, as the token in that GUI page is no longer valid.
CSRF situation before this YUM update:
Before this YUM update only the GUI page "Personal Profile" (where password changes are possible) had a proper CSRF token protection, which prevented maliciously initiated password changes of the logged in user that still had an ongoing session.
The way the Sausalito driven GUI works CSRF attacks were already partially mitigated due to the way how the cookie based authentication works in conjunction with our Session-ID checks against CCEd on each GUI related transaction.
This implementation offers a more complete protection against CSRF attacks - especially if "Single Use CSRF" is activated.
Updated ISO Images are available:
ISO images that include the CSRF related updates have just been released:
These ISO images can be downloaded here.