Cyberoam intercept flaw puts enterprises at risk

Powered by SC Magazine
 

Deep packet inspection boxes spy on staff.

Enterprises using Cyberoam deep packet inspection devices could have traffic intercepted by anyone using its shared certificate.

Tor Project security researcher Runa Sandvik and OpenSSL's Ben Laurie discovered the devices used the same Certificate Authority certificate and private key.

That gaffe made it possible for any DPI box to grab traffic from employees monitored by Cyberoam devices. 

The fake certificate, credit: Tor Project

“It is therefore possible to intercept traffic from any victim (employee) of a Cyberoam device with any other Cyberoam device — or, indeed, to extract the key from the device and import it into other DPI devices, and use those for interception,” Sandvik said in an advisory.

“Victims should uninstall the Cyberoam CA certificate from their browsers and decline to complete any connection which gives a certificate warning.”

Sandvik and Laurie began researching the hole after a Tor user in Jordan reported seeing a fake Cyberoam certificate for the TorProject.org. They discovered the user’s traffic was intercepted by a Cyberoam device.

Trusted certificates had to be installed on employee machines, referred to as victims, in order for DPI to work. But that Cyberoam victims all installed the same trusted CA which would issue fake certificates was “a little surprising” Sandvik said.

The Tor boffin alerted Indian-based Cyberoam about the flaw (CVE-2012-3372) on June 30 and her intention to publish an advisory on July 3.

The company acknowledged the vulnerability and said it would investigate. The company has been contacted by SC for comment.

Users can delete the root CA by following these instructions.

Copyright © SC Magazine, Australia


Cyberoam intercept flaw puts enterprises at risk
Tags
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1071

Vote