Three vulnerabilities in Sophos/Cyberoam firewall technology

[German]Security researchers have discovered three vulnerabilities in Cyberoam firewalls (owned by British company Sophos). The vulnerabilities leave millions of devices and, in principle, the entire network vulnerable to security attacks. The products are used in corporate networks and are accessible via the Internet (sometimes with standard credentials).


A hotfix for the firmware has been issued at end of February 2020. Here I prepare some information that I received from security researchers of vpnMentor about this issue.

Note: The article was originally published by me on February 29, 2020. I took it offline again at vpnMentor's request – although a hotfix was already available. On May 14, 2020 vpnMentor published this blog post with more details.

In brief: Three vulnerabilities in Cyberoam appliances

Three vulnerabilities have been discovered in the firewall technology of cyber security vendor Cyberoam by various security experts and ethical hackers.

  • The first vulnerability was reported in late 2019. There is a patch in place, but it reveals another vulnerability.
  • The second vulnerability was reported anonymously to vpnMentor by a security expert.
  • During the review of this reported vulnerability the security team of vpnMentor discovered the third vulnerability, which had also gone unnoticed until now.

These vulnerabilities potentially expose users of millions of devices to the risk of attacks from the Internet and the risk of the devices hijacking. The bugs allow any hacker to access and take over hundreds of thousands, possibly millions, of Sophos/Cyberoam devices via the internet. Potential risks are:

  • Theft of private data
  • Network, account and device transfer
  • Embedding malicious software into an entire network and individual devices

Cyberoam and Sophos's customers base include large enterprises, multinational corporations and major international banks. Google, Microsoft and Apple are just a few of the well-known names among the 100,000 companies. There are also around 1 million individuals using security tools from this vendor.

If these vulnerabilities would have been discovered by criminal hackers, the impact on those affected could have been catastrophic. As the security researchers write in the message I received, the vulnerable Cyberoam appliances are detectable via the Internet using search engines such as Shodan.


Who is Cyberoam?

Cyberoam Technologies, is a global provider of network security devices with a presence in more than 125 countries. Founded in 1999, Cyberoam ha its headquarter in Ahmedabad, India, but became part of Sophos in 2014. The company has approximately 550 employees worldwide.

Cyberoam primarily manufactures technology solutions for large enterprises and international organizations, integrating them into larger networks. These include:

  • Network security solutions, such as firewalls and UTM devices
  • Centralized security management devices
  • VPNs
  • Anti-Virus-, Spyware- and Anti-Spam-Tools
  • Web filtering
  • BBandwidth Management

Customers for these security solutions include global companies in manufacturing, healthcare, finance, retail, IT, etc., as well as educational institutions, the public sector and large government organizations.

Cyberoam software is typically used on the network to ensure its security through firewalls etc. Essentially, it is a gateway that allows employees and other authorized parties access while blocking any unauthorized access to the network. This is designed to ensure a high level of network control over Cyberoam appliances and software. Cyberoam also sells products designed for use in homes and small offices. With Sophos as its parent company, the products are likely to be present in your country.

Cyberoam has been noticed previously

These were not the first vulnerabilities discovered in Cyberoam's security products. Here are a few incidents:

  • July 2012: Two security researchers discovered that Cyberoam uses the same SSL Certificate for many of its appliances. This would have allowed hackers to access and intercept traffic from any affected device on Cyberoam's network.
  • 2018: Indian media reported that a hacker stole large portions of Cyberoam's databases and offered them for sale on the Dark Web. Anonymous ethical hackers estimated that over 1 million files related to Cyberoam's customers, partners and internal operations were available for purchase online.
  • 2019: White Hat hackers found another vulnerability and reported it in online media.

The bug discovered in 2019 and publicly disclosed is the basis for the vulnerabilities found now by vpnMentor in January 2020. The main vulnerability consisted of two separate but related vulnerabilities and affected user logins to the account on a Cyberoam appliance. Both vulnerabilities allowed hackers to access Cyberoam's servers and consequently any device on which their firewalls and software were installed.

Discovering the vulnerability

The first bug was discovered in late 2019, publicly reported and immediately fixed by Sophos and Cyberoam (see for example this post). Shortly after the patch was released, an anonymous security researcher contacted vpnMentor and pointed out a new vulnerability that had been a consequence of the patch, and that was more serious than the patched vulnerability. While reviewing the reported vulnerability, security researcher Nadav Voloch discovered another vulnerability in the Cyberoam firewall software (standard credentials were used for all devices).

In total, these are three separate but related vulnerabilities in Cyberoam's firewall software discovered within the last six months. Here is the timeline:

  • First vulnerability identified and remediated: Late 2019.
  • First anonymous report received on second vulnerability. 01/02/2020
  • Cyberoam contacted: 06/02/2020, 11/02/2020
  • Answer received: 12/02/20
  • Working with Cyberoam to address the vulnerability

The manufacturer's developers responded immediately after they were contacted. However, I have not found any information where Cyberoam provides firmware updates

Vulnerability Details

In a preliminary announcement, the security researchers of vpnMentor disclosed the following details about the discovered vulnerabilities to me.

First vulnerability from 2019 (patched)

The first vulnerability identified (and patched) was an bug in the firewallOS of Cyberoam SSL VPNs. This flaw allowed access to any Cyberoam appliance through the SSL VPNs without requiring the username and password for the associated account.

It also provides full root access to the device, allowing any attacker to gain complete control over the device. This then enables access and control over the entire network in which this Cyberoam appliance has been integrated.

Cyberoam's FirewallOS is a modified and centralized web-based version of Linux. All configurations, changes or commands required in a Cyberoam appliance are sent across the network in a Remote Command Execution (RCE).

Due to a bug in the login interface of the firewallOS, hackers can access the Cyberoam network without a username or password and send RCE's to any server on that network. This left the network completely open to attackers, so the vulnerability is quite serious.

This vulnerability has been fixed and patched by Cyberoam and Sophos, who have installed a tool called "Regex Filter" in their code to prevent such an attack. However, the patch was not comprehensive enough to bypass the security measures. And even worse, the patch created a new vulnerability that was even more serious than the original bug.

The second vulnerability

The second vulnerability was anonymously reported to vpnMentor by an ethical hacker, and is only present after installing the patch provided by Cyberoam and Sophos. It is in the regex filter installed by the patch to ensure that unauthenticated RCEs cannot be sent to their servers via a user account login window.

The problem: The Regex filter can be bypassed with a Base64 encoding. Base64 is a binary to text encoding scheme that converts binary data (consisting of 1 and 0) into the so-called ASCII string format. It can also be used for the reverse function: converting regular command codes into binary sequences of 1 and 0.

By filtering an RCE command via Base64 and embedding it in a Linux Bash command, a hacker can bypass the restriction in Cyberoam's Regex filter and create arbitrary exploits targeting the quarantine email functionality of devices.

Unlike the first vulnerability, they did not even need the username and password of an account, but could instead focus on the request to release the quarantine email functionality. Using cloaked RCEs, attackers were able to enter an empty username on the login interface and send it directly to the servers from there. This makes the vulnerability even more critical than the first one, which was supposed to be closed.

After a successful network intrusion, unauthenticated RCE protocols and "shell commands" can be sent across an entire network. Full root access to the affected Cyberoam appliances was also still possible. This allowed the victim's entire network to be attacked and controlled.

Third vulnerability discovered by Nadav Voloch

The latest problem in Cyberoam's security protocols was made possible by Cyberoam's default passwords for new accounts. It appears that accounts in the organization's software are assigned default user names and passwords. For example:

  • cyberoam/cyber
  • admin/admin
  • root/admin

These must be changed by the users themselves. By combining the vulnerabilities in Cyberoam's firewallOS with the standard credentials found, hackers can access any Cyberoam server still in Standard Configuration Mode and use them to attack the entire network.

Security software typically avoids this problem by not using standard credentials and only allowing access to an account when the user creates his own account. Stronger passwords should also be required, using numbers, symbols, and a mixture of upper and lower case letters.

Remember, if hackers use the Shodan search engine to find Cyberoam devices, they can access and take over any account that still uses the default username and password mode. And through a brute-force attack targeting all Cyberoam servers, hackers can easily access all servers still in default username/password mode. By the way, the Cyberoam/Sophos team has made it their business to offer network protection in the security arena – I don't know what to say.

When using Sophos/Cyberoam devices, ensure that none of these instances on the network are using the default credentials provided by Cyberoam. Sophos's latest security advisory is dated 2 January 2020 and can be found here. The information sent to me by vpnMentor does not mention any patched vulnerabilities. In a search I also did not find any Sophos security advisories (e.g. here) from February 2020. If I still receive information, I will add it.

Cookies helps to fund this blog: Cookie settings


This entry was posted in devices, Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *