Cyberoam Packet Inspection Devices Open Traffic To Third Parties

 

"New submitter jetcityorange tipped us to a nasty security flaw in Cyberoam packet inspection devices. The devices are used by employers and despotic governments alike to intercept communications; in the case of employers probably for relatively mundane purposes (no torrenting at work). However, the CA key used to issue fake certificates so that the device can intercept SSL traffic is the same on every device, allowing every Cyberoam device to intercept traffic that passed through any other one. But that's not all: "It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI devices, and use those for interception. Perhaps ones from more competent vendors.""

 

- http://tech.slashdot.org/story/12/07/04/1640202/cyberoam-packet-inspection-devices-open-traffic-to-third-parties

 

  o_

 /|

 / \

 

"Security vulnerability found in Cyberoam DPI devices (CVE-2012-3372)

Posted July 3rd, 2012 by Runa"

 

- https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372

 

 _o_

  |

 / \

 

"Vulnerability in Cyberoam DPI devices [30 Jun 2012] (CVE-2012-3372)"

 

- https://media.torproject.org/misc/2012-07-03-cyberoam-CVE-2012-3372.txt

 

 /o_

  |

 / \

 

"TOR project uncovers flaw in mass-surveillance appliance"

 

"The TOR team have discovered a fake certificate in the wild. The certificate, issued by a US company called Cyberoam, was used in an attempt to trick a user in Jordan into believing that her/his connection to the TOR website, was private and secure, though in fact it was being spied upon by a Cyberoam device. Cyberoam makes "deep packet inspection" software, used in mass surveillance of Internet traffic, and as TOR's Runa Sandvik and OpenSSL's Ben Laurie investigated the matter, they discovered that all Cyberoam devices share a common vulnerability related to their handling of certificates. The company was notified of this on June 30, and told that the vulnerability would be made public today.

 

    Last week, a user in Jordan reported seeing a fake certificate for torproject.org. The user did not report any errors when browsing to sites such as Gmail, Facebook, and Twitter, which suggests that this was a targeted attack. The certificate was issued by a US company called Cyberoam. We first believed that this incident was similar to that of Comodo and DigiNotar, and that Cyberoam had been tricked to issue a fake certificate for our website.

 

    After a bit of research, we learned that Cyberoam make a range of devices used for Deep Packet Inspection (DPI). The user was not just seeing a fake certificate for torproject.org, his connection was actually being intercepted by one of their devices. While investigating this further, Ben Laurie and I found a security vulnerability affecting all Cyberoam DPI devices.

 

    Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key. It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices, and use those for interception."

 

- http://boingboing.net/2012/07/03/tor-project-uncovers-flaw-in-m.html

 

 /o\

  |

 / \

 

"Cyberoam DPI devices vulnerable to traffic interception"

 

"The Tor researchers recommend that users who are concerned by this issue should check their browsers and see whether any certificates from Cyberoam have been installed.

 

- http://www.h-online.com/security/news/item/Cyberoam-DPI-devices-vulnerable-to-traffic-interception-1632004.html