Cyberoam SSL VPN Client – Plain-text Storage of Username and Password

Security Advisories | Password Disclosure | Cyberoam SSL VPN Client – Plain-text Storage of Username and Password

Product: Cyberoam SSL VPN Client v1.0
Vendor: eLiteCore
Website: www.cyberoam.com
Platform: Windows
Vulnerability Classification: Insecure Storage of User Credentials
Issue Fixed in Version: Cyberoam SSL VPN 9.6.0.78
Issue Discovered By: Wasim Halani (washal)
Organization: Network Intelligence India Pvt. Ltd.
Date released: 26th May, 2010

Product Info

"SSL VPN client is used for establishing remote connections in full access mode. A remote user having an internet connection can download and install SSL VPN Client. Once the client is installed, an encrypted tunnel is established for secure access to the corporate network after providing user credentials."

I. Description

The Cyberoam SSL VPN client (CrSSL.exe) provides the user with an option to save their credentials on the system for later use.



These details (username and password) are stored in the Windows registry under the HKEY_CURRENT_USER hive.
The credentials are stored in plain-text in respective keys at the below location
My Computer\HKEY_CURRENT_USER\Software\SslElite\CrSSL-Client
jalpassword=
jalusername=

II. Vendor Response

27th October, 2009 – Vendor informed about vulnerability
28th October, 2009 – Confirmation of receipt of email
6th November, 2009 – Vendor confirms issue. To be considered a 'feature request'.
3rd March, 2010 – Vendor informs us that the next firmware release will fix the issue.
5th May, 2010 – Vendor confirms that the version 9.6.0.78 of the Cyberoam and its corresponding SSL VPN client do not have the vulnerability.

Solution

Upgrade to the latest Cyberoam SSL VPN Client Server package available on vendor website.

Acknowledgements

We would like to thank Mr. Rakesh Patel of eLitCore for the cooperation he has shown in fixing the vulnerability.