Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cyberoam UTM Credential Disclosure

🗓️ 21 Mar 2012 00:00:00Reported by Saurabh HaritType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

Cyberoam UTM Credential Disclosure vulnerability in Cyberoam CR50ia 10.01.0 build 678 allows access to stored domain credential

Code
`SECURITY ADVISORY: cyberoam-utm-insecure-password-handling  
  
Affected Software: Cyberoam CR50ia 10.01.0 build 678  
Vulnerability: Insecure Password Handling  
Severity: High  
Release Date: Unreleased  
  
  
I. Background  
~~~~~~~~~~~~~   
  
"Cyberoam Unified Threat Management appliances offer assured security,  
connectivity and productivity to Small Office-Home Office (SOHO) and  
Remote Office-Branch Office (ROBO) users by allowing user  
identity-based policy controls."  
  
Cyberoam UTM integrates with Active Directory. In order to query data  
from a configured AD, domain credentials are stored within the device.  
These credentials are retrievable by an authenticated user.  
  
  
II. Description  
~~~~~~~~~~~~~~~  
  
Domain credentials are stored on the device and passed to web  
clientson a diagnostic page (Identity --> Authentication -->  
Authentication Server --> /Select Configured AD/ ). Authenticated  
clients can thus easily access stored credentials.  
  
A trivial check for this follows (replace cookie value):  
  
curl -s -b "JSESSIONID=u2ur76lhy4qt" -H "Referer: blah"  
"http://<webserver>/corporate/webpages/identity/ActiveDirectoryEdit.jsp?__RequestType=ajax&&objectID=1&pageid=pagePopupForm1"|egrep  
'(adminusername|passwdvalue)'  
  
  
III. Impact  
~~~~~~~~~~~  
  
The vulnerability allows a malicious user to access potentially  
privileged domain credentials. Should default passwords not be  
changed, then this is a trivial entry point onto a Windows domain.  
  
  
IV. Remediation  
~~~~~~~~~~~~~~~  
  
Do not return stored credentials to the browser.  
  
  
V. Disclosure  
~~~~~~~~~~~~~  
  
Reported By: Saurabh Harit, Senior Security Analyst, SensePost  
  
Discovery Date: 2011-11-01  
  
  
VI. References  
~~~~~~~~~~~~~  
  
[1] http://www.cyberoamworks.com/Cyberoam-CR50ia.asp  
  
Thanks & Regards,  
-------------------------------------------------------  
Saurabh Harit  
Senior Security Analyst  
SensePost Pvt Ltd  
Phone: +27 768006821  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Mar 2012 00:00Current
7.4High risk
Vulners AI Score7.4
cyberoam utmcredential disclosurecyberoam cr50iainsecure password handlingactive directoryvulnerabilityhigh severitysensepost
37