Cyberoam fixes SSL snooping hole in network security appliances

Cyberoam issues a hotfix for UTM appliances after the default private key used for SSL traffic inspection gets leaked online

Network security hardware manufacturer Cyberoam issued an over-the-air (OTA) update for its unified threat management (UTM) appliances in order to force the devices to use unique certificate authority (CA) SSL certificates when intercepting SSL traffic on corporate networks.

The company was forced to issue the update after an anonymous user published on the Internet the SSL private key that all Cyberoam appliances use by default.

"As the private key has been leaked there are possibilities that it can be misused and hence we have taken an immediate action to release an OTA hotfix that changes the default CA and protects the customers," Abhilash Sonwane, senior vice president of product management at Cyberoam, said Monday via email.

After the hotfix is applied, each individual appliance will have its unique CA certificate. Customers should see a notification about the CA certificate being changed on the administration dashboard of their devices, Sonwane said.

If for some reason the update failed and the alert is missing from the dashboard, customers can generate their own unique CA certificates using the command line interface, an option that has always been available to them.

Tor Project researcher Runa A. Sandvik and Google software security engineer Ben Laurie revealed on July 3 that all Cyberoam appliances with SSL traffic inspection capabilities had been using the same self-generated CA certificate by default. This made it possible "to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI [deep packet inspection] devices, and use those for interception," the researchers wrote in a security advisory.

Cyberoam admitted in a customer support article published on Thursday that all of its appliances used the same default CA certificate. However, the company denied at the time that the private key corresponding to this certificate can be exported from the devices.

Businesses are interested in inspecting the SSL traffic on their networks for a variety of reasons, including the detection of potential data leaks and malware activity.

Network security appliances like those produced by Cyberoam achieve this by launching man-in-the-middle attacks every time network computers send requests to SSL-enabled domain names.

They intercept the requests and establish encrypted channels with the destination servers. They then generate rogue SSL certificates for the remote domains, sign them with their own self-generated CA certificates, and serve those back to the network computers.

This establishes SSL bridges that allow them to inspect what should otherwise be private communications between network endpoints and remote servers. In order to avoid any certificate errors being displayed on the endpoint computers, network administrators have to first install the self-generated CA certificates in their trusted certificate stores.

Sonwane feels that Cyberoam has been singled out in this case. The whole industry uses the same methodology of shipping a default CA certificate with appliances that are capable of performing SSL traffic inspection, he said.

"As a company, we are taking this on a positive note, as these immediate changes (of forcefully generating a unique CA) are putting our appliances at a greater security level than the rest of the industry that does HTTPS deep scan," he said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?