July 09, 2012, 2:20 PM — Network security hardware manufacturer Cyberoam issued an over-the-air (OTA) update for its unified threat
management (UTM) appliances in order to force the devices to use unique certificate authority (CA) SSL certificates
when intercepting SSL traffic on corporate networks.
The company was forced to issue the update after an anonymous user published
on the Internet the SSL private key that all Cyberoam appliances use by default.
"As the private key has been leaked there are possibilities that it can be misused and hence we have taken an
immediate action to release an OTA hotfix that changes the default CA and protects the customers," Abhilash
Sonwane, senior vice president of product management at Cyberoam, said Monday via email.
After the hotfix is applied, each individual appliance will have its unique CA certificate. Customers should see
a notification about the CA certificate being changed on the administration dashboard of their devices, Sonwane
said.
If for some reason the update failed and the alert is missing from the dashboard, customers can generate their
own unique CA certificates using the command line interface, an option that has always been available to them.
Tor Project researcher Runa A. Sandvik and Google software security engineer Ben Laurie revealed on July
3 that all Cyberoam appliances with SSL traffic inspection capabilities had been using the same self-generated
CA certificate by default. This made it possible "to intercept traffic from any victim of a Cyberoam device with
any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI [deep
packet inspection] devices, and use those for interception," the researchers wrote in a security advisory.
Cyberoam admitted in a customer
support article published on Thursday that all of its appliances used the same default CA certificate. However,
the company denied at the time that the private key corresponding to this certificate can be exported from the
devices.
Businesses are interested in inspecting the SSL traffic on their networks for a variety of reasons, including
the detection of potential data leaks and malware activity.
Network security appliances like those produced by Cyberoam achieve this by launching man-in-the-middle attacks
every time network computers send requests to SSL-enabled domain names.
