Cyberoam SSL VPN Client - Plain-text Storage of Username and Password
Product: Cyberoam SSL VPN Client v1.0
Vulnerability Classification: Insecure Storage of User Credentials
Issue Fixed in Version: Cyberoam SSL VPN 220.127.116.11
Issue Discovered By: Wasim Halani (washal)
Organization: Network Intelligence India Pvt. Ltd.
Advisory Link: http://niiconsulting.com/vul/CyberoamSSLVPNClient.html
Date of Advisory: 26th May, 2010
"SSL VPN client is used for establishing remote connections in full access
mode. A remote user having an internet connection can download and install
SSL VPN Client. Once the client is installed, an encrypted tunnel is
established for secure access to the corporate network after providing user
The Cyberoam SSL VPN client (CrSSL.exe) provides the user with an option to
save their credentials on the system for later use.
[IMG: http://niiconsulting.com/images/crssl-client-save-credentials.jpg ]
These details (username and password) are stored in the Windows registry
under the HKEY_CURRENT_USER hive.
The credentials are stored in plain-text in respective keys at the below
[IMG: http://niiconsulting.com/images/plain-text-username-password.jpg ]
27th October, 2009 - Vendor informed about vulnerability
28th October, 2009 - Confirmation of receipt of email
6th November, 2009 - Vendor confirms issue. To be considered a 'feature
3rd March, 2010 - Vendor informs us that the next firmware release will
fix the issue.
5th May, 2010 - Vendor confirms that the version 18.104.22.168 of the
Cyberoam SSL VPN and its corresponding SSL VPN client do not have the
[IMG: http://niiconsulting.com/images/ssl-registry-fix.JPG ]
Upgrade to the latest Cyberoam SSL VPN version of the, available on the
We would like to thank Mr. Rakesh Patel of eLitCore for the cooperation he
has shown in fixing the vulnerability.
Network Intelligence India Pvt. Ltd.