Cyberoam SSL VPN Client - Plain-text Storage of Username and Password May 26 2010 10:42AM
Wasim Halani (wasim halani niiconsulting com)
Cyberoam SSL VPN Client - Plain-text Storage of Username and Password

Vulnerability Summary:
Product: Cyberoam SSL VPN Client v1.0
Vendor: eLiteCore
Website: http://www.cyberoam.com/
Platform: Windows
Vulnerability Classification: Insecure Storage of User Credentials
Issue Fixed in Version: Cyberoam SSL VPN
Issue Discovered By: Wasim Halani (washal)
Organization: Network Intelligence India Pvt. Ltd.
Advisory Link: http://niiconsulting.com/vul/CyberoamSSLVPNClient.html
Date of Advisory: 26th May, 2010

Product Info:
"SSL VPN client is used for establishing remote connections in full access
mode. A remote user having an internet connection can download and install
SSL VPN Client. Once the client is installed, an encrypted tunnel is
established for secure access to the corporate network after providing user

Vulnerability Description:
The Cyberoam SSL VPN client (CrSSL.exe) provides the user with an option to
save their credentials on the system for later use.

[IMG: http://niiconsulting.com/images/crssl-client-save-credentials.jpg ]

These details (username and password) are stored in the Windows registry
under the HKEY_CURRENT_USER hive.
The credentials are stored in plain-text in respective keys at the below
My Computer\HKEY_CURRENT_USER\Software\SslElite\CrSSL-Client

[IMG: http://niiconsulting.com/images/plain-text-username-password.jpg ]

Vendor Communication:
27th October, 2009 - Vendor informed about vulnerability
28th October, 2009 - Confirmation of receipt of email
6th November, 2009 - Vendor confirms issue. To be considered a 'feature
3rd March, 2010 - Vendor informs us that the next firmware release will
fix the issue.
5th May, 2010 - Vendor confirms that the version of the
Cyberoam SSL VPN and its corresponding SSL VPN client do not have the

[IMG: http://niiconsulting.com/images/ssl-registry-fix.JPG ]

Upgrade to the latest Cyberoam SSL VPN version of the, available on the
vendor website

We would like to thank Mr. Rakesh Patel of eLitCore for the cooperation he
has shown in fixing the vulnerability.

Wasim Halani
Security Analyst
Network Intelligence India Pvt. Ltd.
Blog: http://www.niiconsulting.com/checkmate/

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus