Hard-coded credentials, pre-auth RCE as root…
The patch for a critical bug in Cyberoam’s firewall appliances – a bug which could have let an attacker gain easy root access to hundreds of thousands of exposed servers, then piggy-back on them into corporate intranets – failed to fully mitigate the major security flaw, and ultimately provided an even more reliable vector for attack that required no authentication whatsoever.
That’s according to a new report seen by Computer Business Review this week and published by VPNmentor today. It details how an attacker could bypass Cyberoam owner Sophos’ September 2019 regex-based hotfix by encoding a previous pre-authentication remote code execution (RCE) command through Base64 and wrapping it in a Linux bash command for root access.
This created an even “more versatile exploit… was highly reliable and relatively straightforward to exploit”. A hacker abusing it could then send unauthenticated root RCE commands and “easily pivot into other personal devices” across corporate networks, the report says.
(Compounding the failure, the security software also shipped with hard coded default credentials, e.g. “admin/admin”; “root/admin”.)
The initial patch in question came in response to CVE-2019-17059: a bug in a web-based firewall operating system interface for Cyberoam’s cybersecurity products. Exploitation gave an attacker root access to Cyberoam’s firewall.
It could be abused via a malicious request to either Cyberoam’s Web Admin or SSL VPN consoles. Sophos described it at the time as a “critical shell injection vulnerability” which could be “exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.”
The vulnerability, which targeted weak configuration of an email quarantine release system, was fixed by Cyberoam owner Sophos in late September 2019.
Yet that Sophos patch in turn was easy to bypass: “The disguised RCEs could be entered into a blank POST parameter input on the login interface and sent directly to the servers from there. Once you gain a shell, the attacker can send unauthenticated root RCE commands across an entire network”.
As VPNmentor, which was tipped off to the bug by an anonymous white hat, notes: “Once hackers gain remote access to the CyberoamOS shell, they could indirectly access any server file and monitor the entire network.
“This is also a privileged position to pivot into other devices connected to the same network (often an entire organization).
“The security issues created by the vulnerabilities were easily ‘wormable’ to spread across networks. If someone wanted to, they could have easily automated taking over all Cyberoam servers in a matter of minutes,” VPNmentor researchers say, adding that they identified 170,000 exposed servers. (Sophos says a maximum of 70,000 were potentially affected).
The patch, in turn, has now been patched by Sophos – which pushed out a fresh fix on February 24-26 and today downplayed the vulnerability, saying it “quickly and automatically” fixed the flaws, adding in a statement emailed to Computer Business Review that “no systems were reported impacted”.
Yet security researchers this week warned that with vulnerabilities in VPNs closely watched by advanced adversaries, bad actors are highly likely to have also reverse engineered the initial patch and identified the bug — although Sophos says it has seen no proof of exploit in the wild.
Ophir Harpaz, a security researcher at Guardicore Labs, said: “VPN vulnerabilities allow remote access to internal networks and the critical assets within them. For this reason, these types of vulnerabilities are extensively used by attackers who seek to get a foot in the door. VPN is one of the first services to surface in the initial reconnaissance phase – and thus VPN products attract hackers and security researchers alike to spot exploitable bugs.
She added: “Sophos’s original patch for the pre-auth RCE vulnerability is a piece of code that was probably looked at by many eyeballs… If you run the security of an organization that is in the crosshairs of top-notch cybercriminals or nation-states, you should be worried. High chances your predators found the base64 bypass before the hotfix was published.”
Hyderabad-based Cyberoam was bought by Sophos in early 2014. It provides a range of security products and claims customers across 125 countries, including “global corporations in the manufacturing, healthcare, finance, retail, IT sectors… and large government organizations”. (As VPNmentor notes, “many banks… were using Cyberoam products as a gateway to their network from the outside, so this opened direct access to their intranet.”)
Sophos said: “We are extremely quick to work with and respond to researchers, and encourage responsible disclosure with the community and through our bug bounty program. On Oct. 10, 2019, we quickly resolved CVE-2019-17059, and on March 10, 2020, we quickly and automatically resolved a pre-auth RCE vulnerability in the same feature affected by CVE-2019-17059, as well as the default passwords in CROS. In both cases, all customers were promptly notified, and no systems were reported impacted. Customer security is our top priority and these issues were quickly resolved.”
The products affected with these vulnerabilities are no longer available for purchase and reach end-of-life after by Q1, 2022.
As Guardicore’s Harpaz notes, however, “companies big and small continue to run end-of-life systems for legacy and stability reasons”.
With a report this week by the FBI emphaising that “malicious cyber actors are increasingly targeting unpatched Virtual Private Network vulnerabilities” and plenty of companies running their own (often inconsistent) patching regimes, users should be checking that the hotfixes have been applied.