TOR finds intercept flaw in deep packet inspection devices

Not another Diginotar or Comodo SSL trust incident, or Trustwave's but a flaw nonetheless.

A certificate handling flaw in Cyberoam’s deep packet inspection (DPI) devices allow traffic from a single ‘victim’ to be intercepted by any DPI device from the vendor, according to the Tor Project.

The vulnerability stems from Cyberoam DPI devices sharing the same Certificate Authority (CA) certificate and therefore the same private key used to decrypt Secure Sockets Layer (SSL) encrypted traffic.

In a security advisory explaining the flaw, Tor Project developer Runa Sandvik and Google researcher Ben Laurie divide ‘victim’ scenarios into the “willing” —where a corporate environment willingly installs a certificate on devices that is untrusted by browsers in order to monitor traffic—and those where a CA, such as Cyberoam, could potentially be tricked into issuing a fraudulent certificate.

Cyberoam has not been tricked into issuing a fraudulent certificate and is using the untrusted certificate in a legitimate way for the “willing” victim scenario, however, Sandvik and Laurie said it was "surprising" all Cyberoam DPI devices use the same certificate.

“Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key,” the pair wrote.

“It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device—or to extract the key from the device and import it into other DPI devices, and use those for interception. Perhaps ones from more competent vendors.”

The pair discovered the flaw after a user in Jordan reported seeing a fake certificate issued by Cyberoam for the and initially thought Cyberoam had like Comodo and DigiNotar been tricked into issuing a fake certificate for

They also ruled out Cyberoam relying on an intermediate CA to generate new certificates “on the fly” similar to the way Trustwave had proposed and later abandoned after the Mozilla community considered removing trust for its root CA certificate.

The user had seen a fake certificate, according to Sandvik and Laurie, and his connection was also being intercepted by one of Cyberoam’s DPI devices, meaning that in theory his traffic could have been intercepted by any Cyberoam device.

The pair advised Cyberoam of the flaw on June 30 and informed the company at the time that they would publish details of the flaw on July 3.

They note that Cyberoam’s CA certificate is not trusted by browsers, which should mean that an alert will appear unless the certificate has been installed.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about CA TechnologiesComodoCyberoamDPIGoogleMozillaTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place