The National Security Agency (NSA) recently addressed a cross-site request forgery (CSRF) vulnerability within its SkillTree employee training platform, shedding light on the challenges associated with detecting such bugs before production release.
SkillTree, an online education platform incorporating gamified elements, was developed internally by the NSA and made available on GitHub in 2020. The platform’s objective, as stated in an agency press release, is to enhance user interactions with complex in-house applications and modernize software development and DevOps practices within the agency.
On June 12, researchers from Contrast identified and reported a CSRF issue impacting SkillTree, which has since been designated CVE-2024-39326 and assigned a CVSS score of 4.4, categorized as “medium.”
In a CSRF attack, malicious actors use authenticated users to transmit harmful requests to a specific website or application. In this instance, due to vulnerable content types utilized by various SkillTree endpoints, an attacker who lured an admin-level user into clicking a malicious link could have manipulated videos, captions, and text associated with their online lessons. However, executing such an attack required prior knowledge of the targeted SkillTree skill and project name, with no direct exposure of additional user data or systems.
The NSA promptly addressed this issue with a patch released on July 2, urging users to implement the fix to prevent potential website manipulation.
Contrast highlighted the importance of addressing CSRF vulnerabilities before production release, noting that these issues are often overlooked by developers and AppSec teams. Unlike more prominent threats like data exposure, CSRF vulnerabilities may go unresolved, creating opportunities for malicious exploitation.
Detecting CSRF vulnerabilities is particularly challenging as they do not disrupt an application’s normal functioning and typically stem from design flaws in authentication and session management. These vulnerabilities operate at the browser level, making them more difficult to identify than code-based bugs like SQL injection. While the SkillTree application had multiple endpoints, only a select few were susceptible to CSRF attacks.
Fortunately, modern browsers implement restrictions and policies, such as SameSite cookies and CORS, to safeguard against cross-site requests and unauthorized cross-origin interactions. These measures blur the line between application and browser responsibilities, enhancing overall security posture.
In conclusion, the NSA’s proactive response to the CSRF vulnerability in SkillTree underscores the importance of thorough security assessments in the development lifecycle to mitigate risks and protect user data and systems from malicious exploitation. The incident serves as a valuable lesson for organizations to prioritize security measures and stay vigilant against emerging threats in the ever-evolving cybersecurity landscape.