Pierluigi Paganini October 11, 2019

A vulnerability in Sophos Cyberoam firewalls could be exploited by an attacker to gain access to a target’s internal network without authentication.

Sophos addressed a vulnerability in its Cyberoam firewalls that could be exploited by an attacker to gain access to a company’s internal network without providing a password.

“A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS (CROS) version 10.6.6 MR-5 and earlier was recently discovered and responsibly disclosed to Sophos by an external security researcher.” reads the advisory published by Sophos.

“The vulnerability can be potentially exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.”

The vulnerability is a critical shell injection vulnerability that could allow a remote attacker to gain “root” permissions on vulnerable equipment, it could be exploited by sending malicious commands across the internet.

The vulnerability, tracked as CVE-2019-17059, was discovered by the security expert Rob Mardisalu that reported it to Sophos. The expert also reported the issue to Techcrunch that first reported the news.

“We’ve been working hard with internal and external security researchers to uncover serious remotely exploitable loopholes in SSL VPNs and Firewalls like Cyberoam, Fortigate and Cisco VPNs.” reads the security advisory published by the expert. “This Cyberoam exploit, dubbed CVE-2019-17059 is a critical vulnerability that lets attackers access your Cyberoam device without providing any username or password. On top of that, the access granted is the highest level (root), which essentially gives an attacker unlimited rights on your Cyberoam device.”

Cyberoam firewalls are used in large enterprises, they offer stateful and deep packet inspection for network, application and user identity-based security. Cyberoam Firewall protects organizations from DoS, DDoS and IP Spoofing attacks.

Mardisalu revealed that according to Shodan there are more than 96,000 internet-facing Cyberoam devices worldwide, most of them in enterprises, universities and banks.

The flaw is similar to the recently disclosed vulnerabilities in Palo Alto Networks, Pulse Secure and Fortinet VPN solutions.

“It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password.” reported TechCrunch “Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.”

The flaw affects Cyberoam Firewalls running CROS 10.6.6 MR-5 and earlier, Sophos plans to include a fix in the next update of its CyberoamOS operating system.

“There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.” said the spokesperson.

The researcher will release the proof-of-concept code in the coming months.

Pierluigi Paganini

(SecurityAffairs – Cyberoam firewalls, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]