Cybersecurity firm firewall & VPN tech flaws affect over 70k devices
Cybersecurity firms & VPN companies often provide users protection of computer systems and networks from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
Users never expect that these firms to get vulnerable and expose data, but here the companies themselves are vulnerable and exposing user data. Now vpnMentor has released a new report detailing 2 vulnerabilities in an Indian based security company called Cyberoam.
Cyberoam Technologies, a Sophos Company, is a global Network Security appliances provider, with a presence in more than 125 countries. The company offers User Identity-based network security in its Firewalls/ Unified Threat Management appliances, allowing visibility and granular control into users’ activities in business networks.
An anonymous ethical hacker affected the firm’s firewall and VPN technology, according to a report both were affected first in 2019 and then in January 2020. We do not know the exact amount of devices affected in this flaw, a report said that around 70,000 to 1,50,000 devices are affected due to this flaw.
The main flaw in Cyberoam’s security involved two separate vulnerabilities in how an email is released from quarantine on a Cyberoam device. Both unrelated issues could have been used to give hackers access to Cyberoam’s devices, and, as an end result, make it easier to exploit any device which their firewalls were guarding.
1st Vulnerability: Unauthenticated Root Remote Command Execution (pre-auth RCE)
The vulnerability has the compatibility to access any Cyberoam device by exploiting its email quarantine release system without needing to know the username and password for the account linked to it. The vulnerability can also gain ‘root’ access on the device because of its need to run in a privileged setting, which would grant any hacker total control of the target device.
They would then potentially have privileged access to, and potentially control of, the network into which that Cyberoam device was integrated.
2nd Vulnerability: Unauthenticated Root Remote Command Execution (pre-auth RCE)
To fix the previous vulnerability the company installed a regex-based important patch to all of its active devices. However, this didn’t make it any harder to exploit the second vulnerability. Also, the regex patched used by the first fix would have been insufficient.
According to the researchers, the patch was easily bypassed through Base64 and wrapping it in a Linux Bash Command.
Base64 is a binary-to-text encoding scheme that converts binary data (made up of 1’s and 0’s) into what’s known as an ASCII string format. It can also be used to perform the opposite function: turning regular command codes into binary sequences of 1’s and 0’s.
In fact, unlike the first vulnerability, they didn’t even need an account’s username and password, focusing instead on the request for releasing the quarantine email functionality. The disguised RCEs could be entered into a blank POST parameter input on the login interface and sent directly to the servers from there. Once an attacker gains a shell, it’s usually game over.
The attacker can send unauthenticated root RCE commands and easily pivot into other personal devices by exploiting DNS, SMB, and other local network issues.
Being the most severe form of RCE, it didn’t need any authentication to exploit. It also automatically granted “root” privileges, was highly reliable, and relatively straightforward to exploit.
the vpnmentor researchers said
If you or your company are currently using any Cyberoam security device, make sure you have received and installed the latest security patch from Sophos. Make sure nobody in your network is still using the default login credentials provided by Cyberoam, or you have manually disabled any still in use.