Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.

How about a note apologizing and closing shop

[Marrow]

SSH backdoors into security appliances? Really?

Re:How about a note apologizing and closing shop

[mvdwege]

This is Barracuda, who were still doing accept-then-bounce when even Microsoft had changed that to no longer being the default in Exchange.

Security apliances growing obsolete

Security appliances are a joke. Overpriced slabs sold by slimy salesmen to clueless PHBs to offer "security" in a box.
Security doesn't come in a box. It comes with process, documentation, and vigilance. Things alien to incompetent management.
It's no surprise that these digital snake oil machines are riddled with security holes themselves.

Anyway, these things are mostly obsolete. Why spend a fortune when your infrastructure is all VMs hosted across multiple data centers in many distinct geographic locations.

You still host your own servers? Why?

Re:Security apliances growing obsolete

Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.