The severe flaws were detected by various teams and shared with the manufacturer, but will patching be done in time?

Cyberoam, an identity-based security solutions provider owned by cybersecurity firm Sophos since 2014, was recently informed that its firewall and VPN technology harbored two vulnerabilities that would allow hackers to break through without authentication.

According the VPN evaluation and consultancy website vpnMentor, the first vulnerability was reported in late 2019, while the second was shared with vpnMentor by an anonymous ethical hacker at the beginning of 2020. After confirming their findings, the vpnMentor team discovered a third flaw that had gone unnoticed.

These vulnerabilities, both independently and when put together, could have been potentially exploited by sending a malicious request, which would enable an unauthenticated, remote attacker to execute arbitrary commands.

According to the disclosure in vpnMentor’s blog, Sophos has already published hotfixes to resolve both of these vulnerabilities.

We do our best to keep sensitive user data private by finding and exposing widespread software flaws like this one.

Vulnerability #1

This flaw, involving ‘Unauthenticated Root Remote Command Execution (pre-auth RCE), was found in the FirewallOS of Cyberoam SSL VPNs around Q4 of 2019, and it allowed access to any Cyberoam device by exploiting its email quarantine release system without needing to know the username and password for the account linked to it. Many banks and big corporations were using affected products as a gateway to their network from the outside, so this opened direct access to their intranet (local networks, often with more sensitive data).

Exploiting the vulnerability also allowed relatively easy escalation to ‘root’ access on the device because of its need to run in a privileged setting, which would grant any hacker total control of the target device. They would then potentially have privileged access to, and potentially control of, the network into which that compromised device was integrated.

This vulnerability was resolved and patched by Cyberoam and Sophos, who automatically installed a regex-based patch into their code to prevent such an attack from happening in the future. However, it was still possible to gain original remote root command execution capabilities due to the second vulnerability in a different parameter.

Vulnerability #2

The second vulnerability (Unauthenticated Root Remote Command Execution [pre-auth RCE]) was noticed some time after the patch for the first bug came out. This was then brought to vpnMentor’s attention by a security researcher who wished to remain anonymous.

To fix the previous RCE, vulnerable and non-vulnerable devices automatically installed a regex-based important patch. However, this did not make it any harder to exploit the second vulnerability. Also, the regex patched used by the first fix would have been insufficient.

By encoding the previous RCE command through Base64 and wrapping it in a Linux Bash Command, a hacker could bypass the patch in the regex filter and create a more versatile exploit targeting the quarantine email functionality of Cyberoam’s devices. In fact, unlike the first vulnerability, they did not even need an account’s username and password, focusing instead on the request for releasing the quarantine email functionality.

The disguised RCEs could be entered into a blank POST parameter input on the login interface and sent directly to the servers from there. Once an attacker gains a shell, it is usually game over. The attacker can send unauthenticated root RCE commands and easily pivot into other personal devices by exploiting DNS, Server Message Block, and other local network issues.

Being the most severe form of RCE, it did not need any authentication to exploit. It also automatically granted “root” privileges, was highly reliable and relatively straightforward to exploit.

Vulnerability #3

The final issue (discovered by Nadav Voloch) in Cyberoam’s security protocols was made possible by Cyberoam’s default hardcoded passwords for new accounts. Apparently, accounts on the company’s software came with default usernames and passwords, which users were expected to change themselves.

Though the previous vulnerabilities needed no authentication, this vulnerability meant that there was an alternative way to sometimes bypass authentication. Combining the vulnerability in Cyberoam’s FirewallOS with the default login credentials like those found earlier, hackers could access any Cyberoam server still in default mode and use this to attack the wider network.

Typically, security software avoids this issue by not using default login credentials and not allowing access to an account until the user creates their own. Once again, by using Shodan (a search engine for internet-connected devices) to find Cyberoam devices, hackers could access any account still using the default usernames and passwords mode and take it over.

Using a brute-force attack targeting all Cyberoam’s servers, hackers could have easily accessed any servers still in the default username/password mode at once.

Response and resolution

Once the technical details of the vulnerabilities, and Nadav’s later discovery, Sophos and Cyberoam were contacted immediately.

Sophos had replied promptly and guaranteed the issues would be resolved soonest possible. On 29 Feb, vpnMentor had received notice from Sophos the vulnerabilities in their firewall products were resolved. Between 24 and 26 February, Sophos distributed and automatically applied a hotfix to relevant versions of the Cyberoam firewall.

Sophos’ hotfix completely disabled the vulnerability, and the firewall now requires user authentication at the login portal.

The hotfix will be included in the latest version of the relevant software, to be released soon.

All Cyberoam customers and partners are being notified of the hotfix and the changes mentioned above. They will also be advised to change their admin credentials from the defaults.

The products affected with these vulnerabilities are ‘end-of-sale,’ meaning they are no longer available for purchase. They will reach end-of-life after the first quarter of 2022 at the latest.

As such, Sophos does not plan to make major programmatic changes in current Cyberoam products that would force customers to change the default credentials.

Two months after Sophos had confirmed the patch was installed, the vpnMentor team attempted the exploits again, following the same processes as before, which no longer worked, indicating that all vulnerabilities have been patched.