Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.

Original source for Advisory

SEC Consult Vulnerability Lab Security Advisory - 20130124-0

title: Critical SSH Backdoor in multiple Barracuda Networks Products

vulnerable products: Barracuda Spam and Virus Firewall
                                          Barracuda Web Filter
                                          Barracuda Message Archiver
                                          Barracuda Web Application Firewall
                                          Barracuda Link Balancer
                                          Barracuda Load Balancer
                                          Barracuda SSL VPN
                                          (all including their respective virtual "Vx" versions)

  vulnerable version: all versions Security Definition 2.0.5
            fixed version: Security Definition 2.0.5
            impact: Critical
            homepage: https://www.barracudanetworks.com/
            found: 2012-11-20
            by: S. Viehbck
            SEC Consult Vulnerability Lab
            https://www.sec-consult.com

Re:small set of ips

The blocks are:
205.158.110.0/24
216.129.105.0/24

http://cnet.robtex.com/205.158.110.html
http://cnet.robtex.com/216.129.105.html

OPENVPN

[CajunArson]

Live it, love it, use it (oh and it has commercial support too so it's not just a toy). http://openvpn.net/

Re:small set of ips

[msauve]

If you click through to the SEC report:

-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

Re:small set of ips

[cluedweasel]

According to the article, these non-Barracuda domains fall within those blocks. mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ... frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc. utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc. everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc. mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.

Re:A major flaw

What they call a "firmware update" is incorrect, from what I can tell this just patches the file that contains the allowed SSH ips and nothing more. I have one of the effected devices which does NOT have SSH enabled from outside and it downloaded and installed the "security update" on its own during its usual hourly update cycle.