Cyberoam SSL VPN Client - Plain-text Storage of Username and Password

Vulnerability Summary:
Product: Cyberoam SSL VPN Client v1.0
Vendor: eLiteCore
Website: http://www.cyberoam.com/  
Platform: Windows
Vulnerability Classification:  Insecure Storage of User Credentials
Issue Fixed in Version: Cyberoam SSL VPN 9.6.0.78
Issue Discovered By: Wasim Halani (washal)
Organization: Network Intelligence India Pvt. Ltd.
(http://www.niiconsulting.com/)
Advisory Link: http://niiconsulting.com/vul/CyberoamSSLVPNClient.html 
Date of Advisory: 26th May, 2010

Product Info: 
 "SSL VPN client is used for establishing remote connections in full access
mode. A remote user having an internet connection can download and install
SSL VPN Client. Once the client is installed, an encrypted tunnel is
established for secure access to the corporate network after providing user
credentials."

Vulnerability Description:
The Cyberoam SSL VPN client (CrSSL.exe) provides the user with an option to
save their credentials on the system for later use.

[IMG: http://niiconsulting.com/images/crssl-client-save-credentials.jpg ]

These details (username and password) are stored in the Windows registry
under the HKEY_CURRENT_USER hive. 
The credentials are stored in plain-text in respective keys at the below
location
My Computer\HKEY_CURRENT_USER\Software\SslElite\CrSSL-Client
jalpassword=
jalusername=

[IMG: http://niiconsulting.com/images/plain-text-username-password.jpg ]

Vendor Communication:
27th October, 2009 - Vendor informed about vulnerability
28th October, 2009 - Confirmation of receipt of email
6th November, 2009 - Vendor confirms issue. To be considered a 'feature
request'.
3rd March, 2010    - Vendor informs us that the next firmware release will
fix the issue.
5th May, 2010      - Vendor confirms that the version 9.6.0.78 of the
Cyberoam SSL VPN and its corresponding SSL VPN client do not have the
vulnerability.

[IMG: http://niiconsulting.com/images/ssl-registry-fix.JPG ]

Solution:
Upgrade to the latest Cyberoam SSL VPN version of the, available on the
vendor website 

Acknowledgements:
We would like to thank Mr. Rakesh Patel of eLitCore for the cooperation he
has shown in fixing the vulnerability.

--
Wasim Halani
Security Analyst
Network Intelligence India Pvt. Ltd.
http://www.niiconsulting.com/
Blog: http://www.niiconsulting.com/checkmate/