New Report: Severe Flaws in Cyberoam’s Firewall and VPN Technology Left At Least 86,000 Networks Vulnerable to Exploit
1 - 2 min read
May 17, 2020
A new report published by vpnMentor examines two critical vulnerabilities in cybersecurity provider Cyberoam’s firewall and VPN technology, which - both independently and combined - could be exploited by malicious actors to access the company’s email quarantine system without authentication and remotely execute arbitrary commands.
These flaws were discovered by different security researchers working independently, and have both been patched by Sophos.
The first security bug, which existed in the FirewallOS of the Cyberoam SSL VPN and allowed unauthenticated root remote command execution (pre-auth RCE), was reported in late 2019. This vulnerability provided access to any Cyberoam device by exploiting its email quarantine release system - without requiring the username and password for the account linked to it. VpnMentor explains the serious implications of this flaw: “We found many banks and big corporations were using Cyberoam products as a gateway to their network from the outside, so this opened direct access to their intranet (local networks, often with more sensitive data). Exploiting the vulnerability also allowed relatively easy escalation to ‘root’ access on the device, which would grant a malicious hacker total control of the target device - and potentially the entire network into which that device was integrated.”
Sohos attempted to remedy this security issue by installing a regex-based patch into their code; however, the tech giant’s work was far from over. A second critical remote code execution (RCE) vulnerability, which was discovered in January of 2020, could have been exploited by threat actors to bypass the patch in Cyberoam’s regex filter and create a more versatile attack targeting the quarantine email functionality of Cyberoam’s devices - without even needing a username or password. And exploiting this security bug was fairly simple: it involved encoding the previous RCE command through Base64 and wrapping it in a Linux Bash Command. Luckily, both of these flaws - which left at least 86,000 networks exposed and susceptible to data theft and account takeovers - were successfully patched before they were discovered and exploited by criminal hackers.
Read more about these vulnerabilities in a vpnMentor report: Critical Flaws in Cybersecurity Devices Exposed Entire Networks to Attack and Takeover.
