Cyberoam appliances private key exposed
The private key that Cyberoam security appliances use to perform Deep Packet Inspection (DPI) of SSL traffic is in circulation on the internet. This allows anyone on the Cyberoam appliance's network to decrypt other users' encrypted data traffic. The company has responded by releasing an emergency patch that makes every device generate its own unique CA certificate and matching private key.
A week ago, the Tor Project had issued a warning, saying that all Cyberoam appliances appeared to be using the same private key in the SSL certificates that were used to allow the device to inspect SSL traffic. The company responded by posting the following on its blog: "Cyberoam's private keys cannot be extracted even upon dissecting the box or cloning its hardware and software. This annuls any possibility of tampering with the existing certificates on appliance". The company has since realised that this isn't true, and the statement has now been deleted from the blog posting. The amended version only states that the appliances don't offer a key import and export feature.
According to Cyberoam, the newly released OTA (Over The Air) update is installed automatically. It is designed to make appliances generate a unique private key automatically. The company says that using a single private key on all appliances is common practice in this field of industry. Research by The H's associates at heise Security has concluded that, for example, Fortinet appliances also appear to come with a "CA_SSLProxy" that is identical on all devices.