Critical flaws have been discovered in a cybersecurity company's next-generation firewall and VPN technology.
Researchers at vpnMentor detected two vulnerabilities in cybersecurity devices developed by Cyberoam Technologies. Founded in 1999, Ahmedabad-based company Cyberoam was bought by British security software and hardware company Sophos Group plc in 2014.
Cyberoam employs 550 people globally and serves 65,000 users in over 120 countries, offering security solutions to “global corporations in the manufacturing, healthcare, finance, retail, IT sectors, and more, in addition to educational institutions, public sector and large government organizations.”
The first vulnerability was found in the FirewallOS of Cyberoam SSL VPNs in the last quarter of 2019, while the second was shared with vpnMentor by an anonymous ethical hacker at the beginning of 2020 and verified at vpnMentor's Research Lab.
"After confirming their findings, our team discovered a third flaw, which had also gone unnoticed," wrote researchers.
"These vulnerabilities, both independently and when put together, could have been potentially exploited by sending a malicious request, which would enable an unauthenticated, remote attacker to execute arbitrary commands."
Cyberoam software works by forming a gateway that blocks unauthorized access to a network. Researchers revealed that the main flaw in Cyberoam’s security involved two separate weaknesses in how an email is "released from quarantine" on a Cyberoam device.
"Both unrelated issues could have been used to give hackers access to Cyberoam’s devices, and, as an end result, make it easier to exploit any device which their firewalls were guarding," wrote researchers.
Hotfixes have been published by Sophos to resolve the vulnerabilities, which are not the first flaws to be discovered in Cyberoam's security products.
"For many years, people have been identifying significant weaknesses in their software products and devices," wrote researchers, before citing three specific weaknesses.
The first of these dates back to July 2012, when it was revealed that Cyberoam was using the same SSL certificate across many of its devices, making it possible for hackers to access any affected device on the company's network and intercept its data traffic.
In 2018, massive portions of Cyberoam databases were discovered for sale on the dark web after being swiped by a hacker, according to Indian media reports.