Sophos Cyberoam NG Series Multiple Cross-Site Scripting Vulnerabilities

Title: Sophos Cyberoam NG Series Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2016-5313
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 04.04.2016
Summary
Cyberoam NG series of Unified Threat Management appliances are the Next-Generation network security appliances that include UTM security features along with performance required for future networks. The NG series for SMEs are the 'fastest UTMs' made for this segment. The best-in-class hardware along with software to match, enables the NG series to offer unmatched throughput speeds, compared to any other UTM appliance in this market segment. This assures support for future IT trends in organizations like high-speed Internet and rising number of devices in organizations – offering future-ready security to SMEs.
Description
Multiple reflected XSS issues were discovered in Cyberoam NG appliances. Input passed via the 'ipFamily', 'applicationname' and 'username' GET parameters to LiveConnections.jsp and LiveConnectionDetail.jsp is not properly sanitised before being returned to the user. Adding arbitrary 'X-Forwarded-For' HTTP header to a request makes the appliance also prone to a XSS issue. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
Sophos Technologies Pvt. Ltd. - http://www.cyberoam.com
Affected Version
Model: CR100iNG, FW: 10.6.3 MR-1 (Build 503)
Model: CR35iNG, FW: 10.6.2 MR-1 (Build 383)
Model: CR35iNG, FW: 10.6.2 (Build 378)
Tested On
Linux
Vendor Status
[29.01.2016] Vulnerability discovered.
[02.02.2016] Vendor contacted.
[02.02.2016] Vendor responds asking more details.
[02.02.2016] Sent details to the vendor.
[03.02.2016] Vendor asks if the issue is resolved?
[05.02.2016] Asked vendor for status update.
[05.02.2016] Vendor assigns case number 5708861.
[12.02.2016] Asked vendor for status update.
[15.02.2016] Vendor verifies the vulnerability asigning defect ID 19644.
[15.02.2016] Vendor will resolve the issue in an upcoming release.
[28.02.2016] Asked vendor to provide more concrete information.
[29.02.2016] Vendor replies.
[14.03.2016] Asked vendor for scheduled patch release date.
[03.04.2016] No response from the vendor.
[04.04.2016] Public security advisory released.
PoC
cyberoam_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://docs.cyberoam.com/default.asp?id=447&Lang=1&SID=
[2] https://cxsecurity.com/issue/WLB-2016040025
[3] https://packetstormsecurity.com/files/136561
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/111980
[5] http://vuldb.com/?id.81644
[6] http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-001941.html
[7] http://tech.cert-hungary.hu/vulnerabilities/CH-13158
[8] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3968
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3968
Changelog
[04.04.2016] - Initial release
[05.04.2016] - Added reference [2] and [3]
[06.04.2016] - Added reference [4]
[11.04.2016] - Added reference [5], [6], [7], [8] and [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk