Cyberoam updates UTM certs to avoid traffic snooping

Share this article:

Security vendor Cyberoam has issued a hotfix for an interception vulnerability it downplayed this week. 

The update this week replaces generic certificates in Cyberoam Unified Threat Management (UTM) devices with unique ones.This squashes the possibility that the deep packet inspection (DPI) modules could intercept traffic from users assigned to different Cyberoam UTM boxes.

The update comes after a commenter to a blog post over the weekend published the default private key that was being used across Cyberoam's UTM devices.

Last month, Tor Project security researcher Runa Sandvik and OpenSSL's Ben Laurie discovered that the units relied on shared certificates that users must accept to have their encrypted traffic scanned, ostensibly for security threats.

Users accepting the certificates could be scanned by any Cyberoam DPI unit, the researchers found.

Cyberoam had refuted the allegations, along with suggestions by the researchers that private keys could be extracted from the devices.

"Cyberoam UTM either accepts or rejects, but does not store HTTPS Deep Scan Inspection data, as processing is done in real-time," the company said on its blog. "The possibility of data interception between any two Cyberoam appliances is hence nullified."

The fix generates a positive alert when it has been successfully applied.

This article originally appeared at SCMagazine.com.au

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.