Flaws in cyber security firm’s firewall & VPN tech exposed 100k+ devices

Owned by cyber security giant Sophos; the vulnerabilities were identified in the software of Cyberoam Technologies whose tagline is “Securing You.”

One doesn’t expect cybersecurity companies to be vulnerable since they’re supposed to protect us, right? But lately, it has been happening over and over again and even the most vigilant of enterprises are either being compromised or vulnerable to cyber-attacks.

Just recently, vpnMentor has released a new report detailing 2 vulnerabilities in an Indian based security company called Cyberoam.

Affecting the firm’s firewall and VPN technology; the first of these was discovered back in 2019 while the second earlier this year on 1 January due to a report by an anonymous ethical hacker with both of them affecting Cyberoam’s email quarantine system.

For the unacquainted, quarantine emails are those that are deemed to be potentially harmful and thereby are isolated in a separate folder in one’s email account temporarily before they are deleted. Potentially affected devices range from 70,000 – 170,000 with no definite number at the moment.

Root Command Execution (RCE) Vulnerability #1

Using this flaw, attackers could exploit this email quarantine system without knowing any login credentials for associated accounts. Moreover, if the attacker was successful, they could ultimately gain administrator privileges allowing them to control the victim’s device.

The consequence of this is that being a company whose solutions are used by large international firms to effectively serve as a “gateway” between their internal and external networks, the compromise of this very gateway can end up letting the attackers access a company’s internal network as well.

This was though fixed using a regex-based patch by Cyberoam leaving us to look at the second vulnerability.

Root Command Execution (RCE) Vulnerability #2

The regex-based patch proved insufficient paving the way for a second vulnerability in which as the researchers state in their blog post that,

By encoding the previous RCE command through Base64 and wrapping it in a Linux Bash Command, a hacker could bypass the patch in Cyberoam’s regex filter and create a more versatile exploit targeting the quarantine email functionality of Cyberoam’s devices.

In fact, unlike the first vulnerability, they didn’t even need an account’s username and password, focusing instead on the request for releasing the quarantine email functionality. The disguised RCEs could be entered into a blank POST parameter input on the login interface and sent directly to the servers from there.

There was a third vulnerability discovered as well which arose due to Cyberoam allowing the use of default credentials for newly made accounts such as the following ones:

This although made authentication a requirement unlike the previous vulnerabilities, it was still an easy way nonetheless to bypass security. Malicious actors could find servers using such default usernames and passwords through a security search engine like Shodan and easily gain access.

Due to vpnMentor’s prompt reports to Sophos – the parent company of Cyberoam, hotfixes have already been deployed for all the vulnerabilities securing the aforementioned devices. This was further proved by an unsuccessful exploit attempt by vpnMentor after two months of the patches.

Concerning Cyberoam, we could say that it was lucky on the account that criminals did not first discover these vulnerabilities as potential implications included data theft, and the hijacking of associated networks, devices, and accounts which could have severe repercussions both in terms of the financial and intellectual loss and its reputation.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.