CVE-2017-8328

Vulnerability

The web management interface on Securifi Almond, Almond+, and Almond 2015 devices running firmware AL-R096 does not implement any cross-site request forgery (CSRF) protection mechanism. This allows an attacker to craft a malicious request that, when triggered by an authenticated administrator, can change the administrative password. The issue is systemic across the affected firmware versions [1][2].

Exploitation

An attacker must first identify a target device and then trick a currently logged-in administrator into visiting a malicious link or webpage. The crafted request (e.g., a GET or POST to the password change endpoint) is executed in the context of the admin's session, altering the password without the admin's knowledge. No additional authentication or network position is required beyond the ability to deliver the malicious payload to the admin [1][2].

Impact

Successful exploitation allows the attacker to change the device's administrative password, granting full control over the web management interface. This can lead to further compromise of the device, including modification of network settings, interception of traffic, or use as a pivot point for attacks on the local network [1][2].

Mitigation

As of the publication date (2019-06-18), no official firmware patch has been released to address this CSRF vulnerability. Users are advised to avoid accessing the web management interface while on untrusted networks, log out immediately after use, and consider using additional network-level protections such as VPNs or firewall rules to restrict access to the device's management interface [1][2].