Slashdot Mirror
Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates
Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.
SEC Consult Vulnerability Lab Security Advisory - 20130124-0
title: Critical SSH Backdoor in multiple Barracuda Networks Products
vulnerable products: Barracuda Spam and Virus Firewall
Barracuda Web Filter
Barracuda Message Archiver
Barracuda Web Application Firewall
Barracuda Link Balancer
Barracuda Load Balancer
Barracuda SSL VPN
(all including their respective virtual "Vx" versions)
vulnerable version: all versions Security Definition 2.0.5
fixed version: Security Definition 2.0.5
impact: Critical
homepage: https://www.barracudanetworks.com/
found: 2012-11-20
by: S. Viehbck
SEC Consult Vulnerability Lab
https://www.sec-consult.com