What's Bugging the NSA? A Vuln in Its 'SkillTree' Training Platform

The National Security Agency (NSA) has patched a cross-site request forgery (CSRF) vulnerability in its open source employee training platform known as SkillTree, showcasing how difficult this class of bug is to catch prior to production release.

SkillTree is an online education platform with gamified elements, like points and achievements, when learning goals are reached. It was designed in-house by the NSA and released to GitHub in 2020. According to an agency press release, its stated goal is to "improve how users across the agency interacted with in-house complex applications," and "streamline and modernize software development and DevOps best practices at the agency."

On June 12, researchers from Contrast discovered and reported a CSRF issue affecting the platform. It has since been labeled CVE-2024-39326, and assigned a "medium" 4.4 CVSS score.

In a CSRF attack, hackers use authenticated users as conduits to send malicious requests to a targeted website or app. In this particular case, thanks to some vulnerable content types used by multiple SkillTree endpoints, a hacker who tricked an admin-level user into clicking a malicious link could have manipulated the videos, captions, and texts related to their online lessons. Doing so would have required prior knowledge of the targeted SkillTree skill and project name, and such an attack would not have exposed any further user data or systems.

The NSA implemented a fix for this issue in a July 2 patch, which users should deploy to avoid website manipulation.

The DL on CSRF

"Too often, CSRF vulnerabilities are neglected and don't get fixed before code is released into production," Contrast wrote in its report on CVE-2024-39326. "Developers and Application Security (AppSec) teams focus on more advanced attacks that could lead to sensitive data exposure; as a result, CSRF vulnerabilities wind up not being remediated, leaving malicious actors opportunities for successful execution."

There's more to it than just neglect, though. CSRF issues aren't so easily spotted in the first place.

One major reason is that they don't interrupt the normal functioning of an app. And unlike bugs that exist entirely in an app's code, CSRF tends to stem from design issues in authentication and sessions.

"SQL injection is something that would be very well known to developers, because for it to occur, the developer has to send data to a database, and so the developer's doing something consciously," explains Contrast researcher Joseph Beeton. "Unlike SQL injection, CSRF is almost outside of application. It's in the browser."

And, he adds, "There are lots of types of requests that aren't vulnerable to CSRF. The SkillTree application had dozens, maybe hundreds of endpoints, and only a couple were vulnerable."

Luckily, modern browsers use restrictions and policies to protect sites from themselves. There's SameSite cookies — to shield cookies from cross-site requests — and strict cross-origin resource sharing (CORS) policies to defend against unauthorized cross-origin requests and more, blurring the line of responsibility between application and browser.