CVE-2023-25832
📋 TL;DR
This cross-site request forgery (CSRF) vulnerability in Esri Portal for ArcGIS allows attackers to trick authenticated users into performing unintended actions on the portal. It affects versions 11.0 and below, potentially compromising portal integrity and data security. Organizations using vulnerable versions are at risk of unauthorized administrative or user actions.
💻 Affected Systems
- Esri Portal for ArcGIS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could trick an administrator into executing privileged operations like creating new admin accounts, modifying critical configurations, or deleting data, leading to complete portal compromise.
Likely Case
Attackers trick users into performing unauthorized actions like changing their own settings, posting malicious content, or accessing/modifying data they shouldn't, potentially leading to data leakage or portal misuse.
If Mitigated
With proper CSRF protections and user awareness, the risk is limited to isolated incidents with minimal impact on overall portal security.
🎯 Exploit Status
CSRF attacks typically require user interaction but are straightforward to execute once a malicious request is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security 2023 Update 1 Patch (8095)
Vendor Advisory: https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095
Restart Required: Yes
Instructions:
1. Download Security 2023 Update 1 Patch (8095) from Esri Support. 2. Apply the patch following Esri's installation instructions. 3. Restart the Portal for ArcGIS service. 4. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Implement CSRF Tokens
allAdd anti-CSRF tokens to all state-changing requests if custom applications interact with the portal.
Use SameSite Cookie Attributes
allConfigure session cookies with SameSite=Strict or SameSite=Lax attributes to limit cross-site requests.
🧯 If You Can't Patch
- Implement network segmentation to isolate the portal from untrusted networks and limit access to trusted users only.
- Educate users about CSRF risks and advise them to log out of the portal when not in use and avoid clicking suspicious links.
🔍 How to Verify
Check if Vulnerable:
Check the Portal for ArcGIS version in the portal administrator settings or via the REST API endpoint /arcgis/rest/info.Check Version:
curl -k https://<portal-url>/arcgis/rest/info | grep versionVerify Fix Applied:
Verify the patch is listed in installed patches in the portal administrator settings and confirm version is no longer 11.0 or below.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative actions from unexpected IP addresses
- Multiple failed state-changing requests from same session
- Requests missing expected referrer headers
Network Indicators:
- HTTP POST requests to portal endpoints with external referrers
- Cross-origin requests to state-changing endpoints
SIEM Query:
source="portal_logs" AND (action="createUser" OR action="modifyConfig" OR action="delete") AND src_ip NOT IN trusted_ips🔗 References
- https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095
- https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/
- https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-security-2023-update-1-patch-8095
- https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2023-update-1-patch-is-now-available/
