Vulnerability testing specialists report the finding of a critical vulnerability in the Sophos hardware and software company’s firewall solutions. If exploited, this flaw could give a threat actor access to a company’s internal network without having to enter access credentials.
According to reports, all Sophos Cyberoam
Firewall deployments running CyberoamOS (CROS) version 10.6.6 MR-5 and earlier
are affected by the vulnerability. “According to the time and
confidentiality parameters set in the community, we received the report
prepared by an external security researcher,” says a statement from the
company.
Subsequently, the company’s report mentions:
“The vulnerability could be exploited by sending a malicious request to
the Web Admin or SSL VPN consoles, giving an unauthenticated remote attacker
the ability to execute arbitrary commands”.
In short, vulnerability testing experts mention
that this is a shell injection flaw that allows hackers to obtain root user
permissions on a vulnerable system, plus it is exploitable over the Internet.
The company thanked security specialist Rob Mardisalu for submitting the
vulnerability report, tracked as CVE-2019-17059. The expert also shared the
report with some specialized cybersecurity platforms, such as Tedcrunch.
“The vulnerability allows hackers to
access a Cyberoam device without entering usernames or passwords, and also
grants root access, giving the attacker full control of the device,”
Mardisalu’s report says.
Regarding Cyberoam, the exposed Sophos product,
it is a firewall solution used in large companies that provides services such
as thorough packet inspection in networks, applications and user identity features.
Among some of the threats Cyberoam helps mitigate are denial of service (DoS)
attacks and spoofing campaigns.
The vulnerability testing expert who discovered
the flaw provided some details about his research, mentioning that, through the
Shodan search engine, he detected more than 96k Internet-connected Cyberoam
devices worldwide, running mainly in universities, banks and private companies.
He also mentioned that this vulnerability is actually similar to other flaws
recently discovered in virtual
private network (VPN) service companies such as Fortinet or Palo Alto
Networks.
“CVE-2019-17059 is a similar vulnerability
to those discovered in corporate VPN providers, as it also allows hackers to
gain access to a network without using a password,” Mardisalu added. These
vulnerabilities even affected large companies such as Uber and Twitter;
Homeland Security even issued a security alert.
The company has already announced the fix for
this bug in its next Operating System update. Although a patch has been
released, vulnerability testing specialists from the International Institute of
Cyber Security (IICS) claim that some devices remain vulnerable, mainly because
their administrators have disabled automatic updates, so they recommend
reviewing your deployment settings and manually updating if necessary.
