Advisory: Resolved: Cyberoam SQL injection vulnerability
What happened?
A pre-authentication SQL injection vulnerability was recently discovered and fixed on Cyberoam operating system (CROS) devices. This type of vulnerability could allow SQL statements to be executed remotely, but only if the administration interface (HTTPS admin service) was exposed on the WAN zone. No other Sophos products were affected.
How did Sophos respond?
Sophos patched the vulnerability by deploying a hotfix to all supported CROS versions beginning on December 4, 2020.
Hotfix Information
| CROS Version | Hotfix Issued |
| Version 10.6.4 and above | December 4, 2020 |
| Version 10.6.3 MR4 & MR5, 10.6.2 MR1 | December 5, 2020 Note: Unsupported version – Please upgrade to the latest CROS version or to our next-gen XG Firewall for advanced security, performance, and protection |
| All versions prior to and including 10.6.1 | N/A Note: Unsupported version – Please upgrade to the latest CROS version or to our next-gen XG Firewall for advanced security, performance, and protection |
How can I ensure that I receive the hotfix?
For all CROS devices that are using the default setting of “Allow Over-the-air Hotfix” automatic updates, the hotfix was automatically installed and there is no action required.
Customers who have changed this default setting need to re-enable this option to receive the hotfix: (System -> Maintenance -> Updates-> “Allow Over-the-air hotfix”)
How can I check the hotfix version on my device?
From the Cyberoam Console, execute the following command to show all version information:
- Console> cyberoam diagnostics show version-info
Referencing the following table, verify that your Hot Fix version number is the same or greater than the listed number below.
| CROS Version | Hardware Model | Hotfix Version |
| 10.6.6 MR6 | All | 3 |
| 10.6.6 MR5 | All | 12 |
| 10.6.6 MR4 | All | 13 |
| 10.6.6 MR3 | All | 16 |
| 10.6.6 MR2 | All | 16 |
| 10.6.6 MR1 | All | 16 |
| 10.6.6 GA | CR10/15 All other | 19 20 |
| 10.6.5 MR1 | CR10/15 All other | 17 18 |
| 10.6.5 GA | All | 18 |
| 10.6.4 MR1 | CR10/15 All other | 20 21 |
| 10.6.4 GA | CR10/15 All other | 19 20 |
Is there any additional action that customers should take?
We strongly recommend the following network security best practices:
- Customers should always ensure they are running supported hardware and software versions.
- Ensure the web admin (HTTP/HTTPS) and SSH are not exposed to the WAN zone (System > Administration > Appliance Access). Use VPN instead for added security when managing Cyberoam devices remotely.
- Conduct regular firewall security audits to reduce risk: review all firewall rules, NAT port-forwarding, and access control lists (ACLs).
- Audit user accounts, remove unnecessary accounts, change admin passwords regularly, and use strong passwords managed via a password manager to reduce the risk of unauthorized access.
As a reminder, the Cyberoam platform is nearing End of Life (EOL). Upgrading to XG Firewall offers advanced security, performance, protection, and features. XG Firewall v17.5 is fully compatible with Cyberoam devices and this 10-step migration guide provides an easy process for moving your Cyberoam configuration to XG Firewall firmware.
