Vulnerability testing specialists report the finding of a critical vulnerability in the Sophos hardware and software company’s firewall solutions. If exploited, this flaw could give a threat actor access to a company’s internal network without having to enter access credentials.
According to reports, all Sophos Cyberoam Firewall deployments running CyberoamOS (CROS) version 10.6.6 MR-5 and earlier are affected by the vulnerability. “According to the time and confidentiality parameters set in the community, we received the report prepared by an external security researcher,” says a statement from the company.
Subsequently, the company’s report mentions: “The vulnerability could be exploited by sending a malicious request to the Web Admin or SSL VPN consoles, giving an unauthenticated remote attacker the ability to execute arbitrary commands”.
In short, vulnerability testing experts mention that this is a shell injection flaw that allows hackers to obtain root user permissions on a vulnerable system, plus it is exploitable over the Internet. The company thanked security specialist Rob Mardisalu for submitting the vulnerability report, tracked as CVE-2019-17059. The expert also shared the report with some specialized cybersecurity platforms, such as Tedcrunch.
“The vulnerability allows hackers to access a Cyberoam device without entering usernames or passwords, and also grants root access, giving the attacker full control of the device,” Mardisalu’s report says.
Regarding Cyberoam, the exposed Sophos product, it is a firewall solution used in large companies that provides services such as thorough packet inspection in networks, applications and user identity features. Among some of the threats Cyberoam helps mitigate are denial of service (DoS) attacks and spoofing campaigns.
The vulnerability testing expert who discovered the flaw provided some details about his research, mentioning that, through the Shodan search engine, he detected more than 96k Internet-connected Cyberoam devices worldwide, running mainly in universities, banks and private companies. He also mentioned that this vulnerability is actually similar to other flaws recently discovered in virtual private network (VPN) service companies such as Fortinet or Palo Alto Networks.
“CVE-2019-17059 is a similar vulnerability to those discovered in corporate VPN providers, as it also allows hackers to gain access to a network without using a password,” Mardisalu added. These vulnerabilities even affected large companies such as Uber and Twitter; Homeland Security even issued a security alert.
The company has already announced the fix for this bug in its next Operating System update. Although a patch has been released, vulnerability testing specialists from the International Institute of Cyber Security (IICS) claim that some devices remain vulnerable, mainly because their administrators have disabled automatic updates, so they recommend reviewing your deployment settings and manually updating if necessary.