Two critical vulnerabilities have been discovered in Cyberoam firewall and VPN technology products that could allow attackers to obtain unauthenticated access of the devices and execute commands.
Cybersecurity company Cyberoam Technologies employs 550 people globally and serves over 65,000 customers in 120 countries. The India-based company was acquired by Sophos Group plc in 2014.
Researchers at vpnMentor detected these vulnerabilities that affected the “email quarantine” feature of Cyberoam’s devices and gave hackers an indirect access to any Cyberoam security device via their web-based access control/Firewall OS interface.
“These vulnerabilities required no authentication to exploit. An attacker simply needed to know the IP address of the vulnerable Cyberoam device, and they could have a reliable shell without any crashes,” researchers told.
First RCE Vulnerability in Cyberoam
The first vulnerability was found in the Firewall OS of Cyberoam SSL VPNs in Q4-2019.
It allowed access to any Cyberoam device by exploiting its email quarantine release system without needing to know the username or password for the account linked to it.
“We found many banks and big corporations were using Cyberoam products as a gateway to their network from the outside, so this opened direct access to their intranet (local networks, often with more sensitive data),” said researchers at vpnMentor. “Exploiting the vulnerability also allowed relatively easy escalation to ‘root’ access on the device because of its need to run in a privileged setting, which would grant any hacker total control of the target device.”
Cyberoam and Sophos automatically resolved the first vulnerability in their devices by installing a regex-based patch. However, researchers still were able to execute root commands – leaving the devices insufficiently patched and vulnerable to attacks.
Second RCE Vulnerability in Cyberoam
The second vulnerability was discovered in the same quarantine email functionality of Cyberoam devices where researchers bypassed previously fixed regex filter with Base64 encoding scheme.
“Being the most severe form of RCE, it didn’t need any authentication to exploit. It also automatically granted “root” privileges, was highly reliable, and relatively straightforward to exploit,” said vpnMentor report. “After confirming their findings, our team discovered a third flaw, which had also gone unnoticed,” wrote researchers.
The third issue discovered in Cyberoam’s security devices is that it offers a default usernames and passwords, which users are expected to change themselves. For example:
This flaw could also be exploited by hackers by brute-forcing. By combining it with the existing vulnerabilities in Cyberoam devices, hackers could easily access any Cyberoam server in default mode and use this to attack the wider network.
Tools like Shodan and foda.so can display individual Internet-connected Cyberoam devices and their IPs.
Sophos has released hotfixes for all the recently discovered vulnerabilities in Cyberoam devices and the firewall now requires user authentication at the login portal.
“The vulnerabilities we discovered were not the first flaw in Cyberoam’s security products. For many years, people have been identifying significant weaknesses in their software products and devices”, said vpnMentor.
In 2018, Indian media reported that a hacker had stolen massive portions of Cyberoam databases and put them up for sale on the Dark Web.