Many Cyberoam customers around the globe are already benefitting from the innovations that a switch to Sophos XG Firewall has brought them. With the recent release of XG version 18 you will find the same intuitive interface as well as new innovations to address some of the key issues you are likely facing today. May 18, 2020 Who is Cyberoam? Cyberoam Technologies, is a global provider of network security devices with a presence in more than 125 countries. Founded in 1999, Cyberoam ha its headquarter in Ahmedabad, India, but became part of Sophos in 2014. Cyberoam – a Sophos Company, secures organizations with its wide range of product offerings at the network gateway. Cyberoam leverages the power of multi-core processors, offering enterprise-grade performance, in its appliances.

• Cyberoam To Sophos
• Sophos Cyberoam
• Sophos Cyberoam To Xg Migration
• Sophos Cyberoam Ahmedabad
• Sophos Cyberoam Support

Today we announced that Sophos has acquired Cyberoam, a leading UTM company headquartered in Ahmedabad, India. I just wanted to share a few thoughts about the announcement, and mention some of the reasons why I think bringing Sophos and Cyberoam together is an exciting combination for our two companies, as well as for our customers, our partners, and the industry as a whole.

This transaction brings together two highly successful companies in network security, and positions us well to succeed further in this dynamic and fast-growing market. We believe Cyberoam and Sophos are a compelling combination in several key respects:

Cyberoam To Sophos

• The right market: This represents Sophos “doubling down” on our commitment to the network security market.
• The right technology: Cyberoam’s technology has a similar product architecture as our Sophos UTM, which will aid in longer-term integration. And each company has a variety of complementary technologies that offer opportunities to sell new and differentiated products.
• The right place: Cyberoam allows us to scale our engineering efforts with a strong and highly innovative product engineering center in India; expands our resources in UTM-oriented sales, marketing, customer support, and operations; and allows us to drive growth in several emerging markets, including India, the Middle East and Africa, where Cyberoam has a particularly strong presence.

Our goal in coming together is very simple: to expand and accelerate on the success that each company is already enjoying today. According to IDC, the UTM market is approximately $2.5 billion and growing at 20% per year. Both Cyberoam and Sophos are performing very well in the UTM market, and outgrowing our competitors. But our ambition is to become a much larger player in network security – not only in UTM, but in a number of exciting adjacent markets that are growing as fast or even faster, like next-generation firewall (NGFW), advanced persistent threat (APT) protection, and wireless security.

In terms of our integration plans, our approach is simple: “Business as usual – but better.” We don’t expect to make any changes to either company’s 2014 UTM product roadmaps. Over time, we will certainly look for opportunities to leverage the best of both companies to enhance our existing products and to add new products to our roadmap.

You will hear more in the days and weeks to come as to why we feel this combination is great news for our customers, our partners, and the industry as a whole. In the meantime, I encourage you to watch the short video from me and Hemal Patel, the CEO of Cyberoam, that provides a bit more background on the transaction and why we’re excited about it. If you are a Sophos customer, please check our FAQ for more background. And if you’re a partner, be sure to visit the Sophos Partner Portal or Cyberoam Partner Portal for more information.

We have an exciting road ahead of us at Sophos, and I am thrilled to have the Cyberoam team on board to help us accelerate our momentum.

Yours sincerely,

Kris Hagerman, Sophos CEO

[German]Security researchers have discovered three vulnerabilities in Cyberoam firewalls (owned by British company Sophos). The vulnerabilities leave millions of devices and, in principle, the entire network vulnerable to security attacks. The products are used in corporate networks and are accessible via the Internet (sometimes with standard credentials).

A hotfix for the firmware has been issued at end of February 2020. Here I prepare some information that I received from security researchers of vpnMentor about this issue.

Note: The article was originally published by me on February 29, 2020. I took it offline again at vpnMentor’s request – although a hotfix was already available. On May 14, 2020 vpnMentor published this blog post with more details.

In brief: Three vulnerabilities in Cyberoam appliances

Three vulnerabilities have been discovered in the firewall technology of cyber security vendor Cyberoam by various security experts and ethical hackers.

• The first vulnerability was reported in late 2019. There is a patch in place, but it reveals another vulnerability.
• The second vulnerability was reported anonymously to vpnMentor by a security expert.
• During the review of this reported vulnerability the security team of vpnMentor discovered the third vulnerability, which had also gone unnoticed until now.

These vulnerabilities potentially expose users of millions of devices to the risk of attacks from the Internet and the risk of the devices hijacking. The bugs allow any hacker to access and take over hundreds of thousands, possibly millions, of Sophos/Cyberoam devices via the internet. Potential risks are:

Sophos Cyberoam

• Theft of private data
• Network, account and device transfer
• Embedding malicious software into an entire network and individual devices

Cyberoam and Sophos’s customers base include large enterprises, multinational corporations and major international banks. Google, Microsoft and Apple are just a few of the well-known names among the 100,000 companies. There are also around 1 million individuals using security tools from this vendor.

If these vulnerabilities would have been discovered by criminal hackers, the impact on those affected could have been catastrophic. As the security researchers write in the message I received, the vulnerable Cyberoam appliances are detectable via the Internet using search engines such as Shodan.

Who is Cyberoam?

Sophos Cyberoam To Xg Migration

Cyberoam Technologies, is a global provider of network security devices with a presence in more than 125 countries. Founded in 1999, Cyberoam ha its headquarter in Ahmedabad, India, but became part of Sophos in 2014. The company has approximately 550 employees worldwide.

Cyberoam primarily manufactures technology solutions for large enterprises and international organizations, integrating them into larger networks. These include:

• Network security solutions, such as firewalls and UTM devices
• Centralized security management devices
• VPNs
• Anti-Virus-, Spyware- and Anti-Spam-Tools
• Web filtering
• BBandwidth Management

Customers for these security solutions include global companies in manufacturing, healthcare, finance, retail, IT, etc., as well as educational institutions, the public sector and large government organizations.

Cyberoam software is typically used on the network to ensure its security through firewalls etc. Essentially, it is a gateway that allows employees and other authorized parties access while blocking any unauthorized access to the network. This is designed to ensure a high level of network control over Cyberoam appliances and software. Cyberoam also sells products designed for use in homes and small offices. With Sophos as its parent company, the products are likely to be present in your country.

Cyberoam has been noticed previously

These were not the first vulnerabilities discovered in Cyberoam’s security products. Here are a few incidents:

Sophos Cyberoam Ahmedabad

• July 2012: Two security researchers discovered that Cyberoam uses the same SSL Certificate for many of its appliances. This would have allowed hackers to access and intercept traffic from any affected device on Cyberoam’s network.
• 2018: Indian media reported that a hacker stole large portions of Cyberoam’s databases and offered them for sale on the Dark Web. Anonymous ethical hackers estimated that over 1 million files related to Cyberoam’s customers, partners and internal operations were available for purchase online.
• 2019: White Hat hackers found another vulnerability and reported it in online media.

The bug discovered in 2019 and publicly disclosed is the basis for the vulnerabilities found now by vpnMentor in January 2020. The main vulnerability consisted of two separate but related vulnerabilities and affected user logins to the account on a Cyberoam appliance. Both vulnerabilities allowed hackers to access Cyberoam’s servers and consequently any device on which their firewalls and software were installed.

Discovering the vulnerability

The first bug was discovered in late 2019, publicly reported and immediately fixed by Sophos and Cyberoam (see for example this post). Shortly after the patch was released, an anonymous security researcher contacted vpnMentor and pointed out a new vulnerability that had been a consequence of the patch, and that was more serious than the patched vulnerability. While reviewing the reported vulnerability, security researcher Nadav Voloch discovered another vulnerability in the Cyberoam firewall software (standard credentials were used for all devices).

In total, these are three separate but related vulnerabilities in Cyberoam’s firewall software discovered within the last six months. Here is the timeline:

• First vulnerability identified and remediated: Late 2019.
• First anonymous report received on second vulnerability. 01/02/2020
• Cyberoam contacted: 06/02/2020, 11/02/2020
• Answer received: 12/02/20
• Working with Cyberoam to address the vulnerability

The manufacturer’s developers responded immediately after they were contacted. However, I have not found any information where Cyberoam provides firmware updates

Vulnerability Details

Sophos Cyberoam Support

In a preliminary announcement, the security researchers of vpnMentor disclosed the following details about the discovered vulnerabilities to me.

First vulnerability from 2019 (patched)

The first vulnerability identified (and patched) was an bug in the firewallOS of Cyberoam SSL VPNs. This flaw allowed access to any Cyberoam appliance through the SSL VPNs without requiring the username and password for the associated account.

It also provides full root access to the device, allowing any attacker to gain complete control over the device. This then enables access and control over the entire network in which this Cyberoam appliance has been integrated.

Cyberoam’s FirewallOS is a modified and centralized web-based version of Linux. All configurations, changes or commands required in a Cyberoam appliance are sent across the network in a Remote Command Execution (RCE).

Due to a bug in the login interface of the firewallOS, hackers can access the Cyberoam network without a username or password and send RCE’s to any server on that network. This left the network completely open to attackers, so the vulnerability is quite serious.

This vulnerability has been fixed and patched by Cyberoam and Sophos, who have installed a tool called “Regex Filter” in their code to prevent such an attack. However, the patch was not comprehensive enough to bypass the security measures. And even worse, the patch created a new vulnerability that was even more serious than the original bug.

The second vulnerability

The second vulnerability was anonymously reported to vpnMentor by an ethical hacker, and is only present after installing the patch provided by Cyberoam and Sophos. It is in the regex filter installed by the patch to ensure that unauthenticated RCEs cannot be sent to their servers via a user account login window.

The problem: The Regex filter can be bypassed with a Base64 encoding. Base64 is a binary to text encoding scheme that converts binary data (consisting of 1 and 0) into the so-called ASCII string format. It can also be used for the reverse function: converting regular command codes into binary sequences of 1 and 0.

By filtering an RCE command via Base64 and embedding it in a Linux Bash command, a hacker can bypass the restriction in Cyberoam’s Regex filter and create arbitrary exploits targeting the quarantine email functionality of devices.

Unlike the first vulnerability, they did not even need the username and password of an account, but could instead focus on the request to release the quarantine email functionality. Using cloaked RCEs, attackers were able to enter an empty username on the login interface and send it directly to the servers from there. This makes the vulnerability even more critical than the first one, which was supposed to be closed.

After a successful network intrusion, unauthenticated RCE protocols and “shell commands” can be sent across an entire network. Full root access to the affected Cyberoam appliances was also still possible. This allowed the victim’s entire network to be attacked and controlled.

Third vulnerability discovered by Nadav Voloch

The latest problem in Cyberoam’s security protocols was made possible by Cyberoam’s default passwords for new accounts. It appears that accounts in the organization’s software are assigned default user names and passwords. For example:

• cyberoam/cyber
• admin/admin
• root/admin

These must be changed by the users themselves. By combining the vulnerabilities in Cyberoam’s firewallOS with the standard credentials found, hackers can access any Cyberoam server still in Standard Configuration Mode and use them to attack the entire network.

Security software typically avoids this problem by not using standard credentials and only allowing access to an account when the user creates his own account. Stronger passwords should also be required, using numbers, symbols, and a mixture of upper and lower case letters.

Remember, if hackers use the Shodan search engine to find Cyberoam devices, they can access and take over any account that still uses the default username and password mode. And through a brute-force attack targeting all Cyberoam servers, hackers can easily access all servers still in default username/password mode. By the way, the Cyberoam/Sophos team has made it their business to offer network protection in the security arena – I don’t know what to say.

When using Sophos/Cyberoam devices, ensure that none of these instances on the network are using the default credentials provided by Cyberoam. Sophos’s latest security advisory is dated 2 January 2020 and can be found here. The information sent to me by vpnMentor does not mention any patched vulnerabilities. In a search I also did not find any Sophos security advisories (e.g. here) from February 2020. If I still receive information, I will add it.