Cyberoam Unified Threat Management: Insecure Password Handling
CybeRoam Unified Threat Management appliances offer assured security, connectivity and productivity to Small Office-Home Office (SOHO) and Remote Office-Branch Office (ROBO) users by allowing user identity-based policy controls.
Cyberoam UTM integrates with Active Directory. In order to query data from a configured AD, domain credentials are stored within the device. These credentials are retrievable by an authenticated user.
Domain credentials are stored on the device and passed to web clients on a diagnostic page (Identity –> Authentication –> Authentication Server –> /Select Configured AD/ ). Authenticated clients can thus easily access stored credentials.
A trivial check for this follows (replace cookie value):
curl -s -b “JSESSIONID=u2ur76lhy4qt” -H “Referer: blah”
The vulnerability allows a malicious user to access potentially privileged domain credentials. Should default passwords not be changed, then this is a trivial entry point onto a Windows domain.
Systems affected: Severity High
Cyberoam CR50ia 10.01.0 build 678