Sophos Cyberoam

Posted on by



[German]Security researchers have discovered three vulnerabilities in Cyberoam firewalls (owned by British company Sophos). The vulnerabilities leave millions of devices and, in principle, the entire network vulnerable to security attacks. The products are used in corporate networks and are accessible via the Internet (sometimes with standard credentials).

Advertising
  1. Cyberoam IPS Implementation Guide PAGE 6 OF 28 Introduction Welcome to Cyberoam’s – IPS Implementation guide. Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions.
  2. A Denial of Service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable.

A hotfix for the firmware has been issued at end of February 2020. Here I prepare some information that I received from security researchers of vpnMentor about this issue.

Note: The article was originally published by me on February 29, 2020. I took it offline again at vpnMentor’s request – although a hotfix was already available. On May 14, 2020 vpnMentor published this blog post with more details.

In brief: Three vulnerabilities in Cyberoam appliances

Many Cyberoam customers around the globe are already benefitting from the innovations that a switch to Sophos XG Firewall has brought them. With the recent release of XG version 18 you will find the same intuitive interface as well as new innovations to address some of the key issues you are likely facing today. Sophos announced today that it has acquired Cyberoam Technologies, a leading global provider of network security products.

Three vulnerabilities have been discovered in the firewall technology of cyber security vendor Cyberoam by various security experts and ethical hackers.

  • The first vulnerability was reported in late 2019. There is a patch in place, but it reveals another vulnerability.
  • The second vulnerability was reported anonymously to vpnMentor by a security expert.
  • During the review of this reported vulnerability the security team of vpnMentor discovered the third vulnerability, which had also gone unnoticed until now.

These vulnerabilities potentially expose users of millions of devices to the risk of attacks from the Internet and the risk of the devices hijacking. The bugs allow any hacker to access and take over hundreds of thousands, possibly millions, of Sophos/Cyberoam devices via the internet. Potential risks are:

  • Theft of private data
  • Network, account and device transfer
  • Embedding malicious software into an entire network and individual devices

Cyberoam and Sophos’s customers base include large enterprises, multinational corporations and major international banks. Google, Microsoft and Apple are just a few of the well-known names among the 100,000 companies. There are also around 1 million individuals using security tools from this vendor.

If these vulnerabilities would have been discovered by criminal hackers, the impact on those affected could have been catastrophic. As the security researchers write in the message I received, the vulnerable Cyberoam appliances are detectable via the Internet using search engines such as Shodan.

Advertising

Who is Cyberoam?

Cyberoam Technologies, is a global provider of network security devices with a presence in more than 125 countries. Founded in 1999, Cyberoam ha its headquarter in Ahmedabad, India, but became part of Sophos in 2014. The company has approximately 550 employees worldwide.

Cyberoam primarily manufactures technology solutions for large enterprises and international organizations, integrating them into larger networks. These include:

  • Network security solutions, such as firewalls and UTM devices
  • Centralized security management devices
  • VPNs
  • Anti-Virus-, Spyware- and Anti-Spam-Tools
  • Web filtering
  • BBandwidth Management

Customers for these security solutions include global companies in manufacturing, healthcare, finance, retail, IT, etc., as well as educational institutions, the public sector and large government organizations.

Cyberoam software is typically used on the network to ensure its security through firewalls etc. Essentially, it is a gateway that allows employees and other authorized parties access while blocking any unauthorized access to the network. This is designed to ensure a high level of network control over Cyberoam appliances and software. Cyberoam also sells products designed for use in homes and small offices. With Sophos as its parent company, the products are likely to be present in your country.

Cyberoam has been noticed previously

Sophos Cyberoam Utm

These were not the first vulnerabilities discovered in Cyberoam’s security products. Here are a few incidents:

  • July 2012: Two security researchers discovered that Cyberoam uses the same SSL Certificate for many of its appliances. This would have allowed hackers to access and intercept traffic from any affected device on Cyberoam’s network.
  • 2018: Indian media reported that a hacker stole large portions of Cyberoam’s databases and offered them for sale on the Dark Web. Anonymous ethical hackers estimated that over 1 million files related to Cyberoam’s customers, partners and internal operations were available for purchase online.
  • 2019: White Hat hackers found another vulnerability and reported it in online media.

The bug discovered in 2019 and publicly disclosed is the basis for the vulnerabilities found now by vpnMentor in January 2020. The main vulnerability consisted of two separate but related vulnerabilities and affected user logins to the account on a Cyberoam appliance. Both vulnerabilities allowed hackers to access Cyberoam’s servers and consequently any device on which their firewalls and software were installed.

Discovering the vulnerability

The first bug was discovered in late 2019, publicly reported and immediately fixed by Sophos and Cyberoam (see for example this post). Shortly after the patch was released, an anonymous security researcher contacted vpnMentor and pointed out a new vulnerability that had been a consequence of the patch, and that was more serious than the patched vulnerability. While reviewing the reported vulnerability, security researcher Nadav Voloch discovered another vulnerability in the Cyberoam firewall software (standard credentials were used for all devices).

In total, these are three separate but related vulnerabilities in Cyberoam’s firewall software discovered within the last six months. Here is the timeline:

  • First vulnerability identified and remediated: Late 2019.
  • First anonymous report received on second vulnerability. 01/02/2020
  • Cyberoam contacted: 06/02/2020, 11/02/2020
  • Answer received: 12/02/20
  • Working with Cyberoam to address the vulnerability

The manufacturer’s developers responded immediately after they were contacted. However, I have not found any information where Cyberoam provides firmware updates

Vulnerability Details

In a preliminary announcement, the security researchers of vpnMentor disclosed the following details about the discovered vulnerabilities to me.

First vulnerability from 2019 (patched)

The first vulnerability identified (and patched) was an bug in the firewallOS of Cyberoam SSL VPNs. This flaw allowed access to any Cyberoam appliance through the SSL VPNs without requiring the username and password for the associated account.

It also provides full root access to the device, allowing any attacker to gain complete control over the device. This then enables access and control over the entire network in which this Cyberoam appliance has been integrated.

Cyberoam’s FirewallOS is a modified and centralized web-based version of Linux. All configurations, changes or commands required in a Cyberoam appliance are sent across the network in a Remote Command Execution (RCE).

Sophos Cyberoam Firewall Configuration

Due to a bug in the login interface of the firewallOS, hackers can access the Cyberoam network without a username or password and send RCE’s to any server on that network. This left the network completely open to attackers, so the vulnerability is quite serious.

This vulnerability has been fixed and patched by Cyberoam and Sophos, who have installed a tool called “Regex Filter” in their code to prevent such an attack. However, the patch was not comprehensive enough to bypass the security measures. And even worse, the patch created a new vulnerability that was even more serious than the original bug.

The second vulnerability

The second vulnerability was anonymously reported to vpnMentor by an ethical hacker, and is only present after installing the patch provided by Cyberoam and Sophos. It is in the regex filter installed by the patch to ensure that unauthenticated RCEs cannot be sent to their servers via a user account login window.

The problem: The Regex filter can be bypassed with a Base64 encoding. Base64 is a binary to text encoding scheme that converts binary data (consisting of 1 and 0) into the so-called ASCII string format. It can also be used for the reverse function: converting regular command codes into binary sequences of 1 and 0.

By filtering an RCE command via Base64 and embedding it in a Linux Bash command, a hacker can bypass the restriction in Cyberoam’s Regex filter and create arbitrary exploits targeting the quarantine email functionality of devices.

Unlike the first vulnerability, they did not even need the username and password of an account, but could instead focus on the request to release the quarantine email functionality. Using cloaked RCEs, attackers were able to enter an empty username on the login interface and send it directly to the servers from there. This makes the vulnerability even more critical than the first one, which was supposed to be closed.

After a successful network intrusion, unauthenticated RCE protocols and “shell commands” can be sent across an entire network. Full root access to the affected Cyberoam appliances was also still possible. This allowed the victim’s entire network to be attacked and controlled.

Sophos cyberoam to xg

Third vulnerability discovered by Nadav Voloch

Sophos

The latest problem in Cyberoam’s security protocols was made possible by Cyberoam’s default passwords for new accounts. It appears that accounts in the organization’s software are assigned default user names and passwords. For example:

  • cyberoam/cyber
  • admin/admin
  • root/admin

These must be changed by the users themselves. By combining the vulnerabilities in Cyberoam’s firewallOS with the standard credentials found, hackers can access any Cyberoam server still in Standard Configuration Mode and use them to attack the entire network.

Security software typically avoids this problem by not using standard credentials and only allowing access to an account when the user creates his own account. Stronger passwords should also be required, using numbers, symbols, and a mixture of upper and lower case letters.

Remember, if hackers use the Shodan search engine to find Cyberoam devices, they can access and take over any account that still uses the default username and password mode. And through a brute-force attack targeting all Cyberoam servers, hackers can easily access all servers still in default username/password mode. By the way, the Cyberoam/Sophos team has made it their business to offer network protection in the security arena – I don’t know what to say.

When using Sophos/Cyberoam devices, ensure that none of these instances on the network are using the default credentials provided by Cyberoam. Sophos’s latest security advisory is dated 2 January 2020 and can be found here. The information sent to me by vpnMentor does not mention any patched vulnerabilities. In a search I also did not find any Sophos security advisories (e.g. here) from February 2020. If I still receive information, I will add it.

Cookies helps to fund this blog: Cookie settings
Advertising

Many Cyberoam customers around the globe are already benefitting from the innovations that a switch to Sophos XG Firewall has brought them. With the recent release of XG version 18 you will find the same intuitive interface as well as new innovations to address some of the key issues you are likely facing today.

Here are just a few ways that switching to XG Firewall can benefit your business:

Sophos cyberoam to xg

1. World-class visibility into all your traffic

XG Firewall already broke new ground in past releases by using intelligence from the endpoint to identify applications, monitor the health of connected devices, and so automatically prevent the spread of infections.

The new Xstream architecture in XG v18 takes visibility to the next level by providing a system capable of inspecting encrypted traffic, thus reducing a massive security blind spot, with minimal impact on performance.

2. One console for your security solutions, management, and reporting

In addition to the v18 release, we have also introduced our new firewall management and reporting solutions in Sophos Central. Together, they turn an already powerful platform into your single point of reference for every firewall, endpoint, mobile device, and server.

Central Management for multiple appliances comes at no extra cost and offers greater efficiency for your day-to-day processes. Central Firewall Reporting provides the tools to create custom reports that offer actionable intelligence on user behavior, application usage, security events, and more for free.

3. Smarter handling of traffic and applications for better performance

The new Xstream architecture combines multiple protection technologies into a single DPI engine for more efficient handling of traffic. Trusted VoIP or video traffic can quickly be routed to the FastPath to reduce the risk of performance degradation.

New SD-WAN features in v18 include route-based VPN and Synchronized SD-WAN, which uses application identification from the endpoint to make QoS decisions and so ensure your mission-critical traffic is prioritized.

Next Steps

See XG Firewall in action with an instant, online demo. In less than a minute you’ll get access to a pre-populated demo instance so you can explore XG Firewall for yourself.

For customers already using an XG Series appliance with at least 4 GB of RAM, you can upgrade to v18 today (providing you have a valid license).

If you’re not yet on an XG appliance, that would be a prerequisite for an upgrade. Cyberoam appliances are not supported in v18. Speak to your local Sophos representative about a hardware refresh and how they can help you with your switch to XG Firewall.

If you need further assistance, please give us a call.