Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.

How about a note apologizing and closing shop

[Marrow]

SSH backdoors into security appliances? Really?

Re:How about a note apologizing and closing shop

[mvdwege]

This is Barracuda, who were still doing accept-then-bounce when even Microsoft had changed that to no longer being the default in Exchange.

Re:How about a note apologizing and closing shop

[gandhi_2]

Shoot. It would be nice if Windows had an SSH front door.

Re:How about a note apologizing and closing shop

[dskoll]

accept-then-bounce when even Microsoft had changed that to no longer being the default in Exchange.

Sorry, it's still the default in Microsoft Exchange. I really hate Microsoft.

Re:How about a note apologizing and closing shop

[mvdwege]

That's 'Recipient Filtering' you link to. I understood that as of Exchange 2007 (plus some SP, possibly), if you turn on email lookups in AD, it defaults to reject if the user is not found.

I only got to work with Exchange once removed, as I had to advise our customers what to do to not backscatter, so if I am wrong, then I am wrong.

Of course in that case Barracuda is as bad as Microsoft, which is hardly an improvement.

Not fixed

Barracuda says they need the accounts. They will remain after the update.

Original source for Advisory

SEC Consult Vulnerability Lab Security Advisory - 20130124-0

title: Critical SSH Backdoor in multiple Barracuda Networks Products

vulnerable products: Barracuda Spam and Virus Firewall
                                          Barracuda Web Filter
                                          Barracuda Message Archiver
                                          Barracuda Web Application Firewall
                                          Barracuda Link Balancer
                                          Barracuda Load Balancer
                                          Barracuda SSL VPN
                                          (all including their respective virtual "Vx" versions)

  vulnerable version: all versions Security Definition 2.0.5
            fixed version: Security Definition 2.0.5
            impact: Critical
            homepage: https://www.barracudanetworks.com/
            found: 2012-11-20
            by: S. Viehbck
            SEC Consult Vulnerability Lab
            https://www.sec-consult.com

small set of ips

[Twillerror]

So the tech note mentions that this is only accessible from a small subset of ips...WHAT IPS!!!!!!

At least it doesn't sound like a zero day so we have time to get it patched. Since we block the management ips from our firewall it sounds like this would only effect attacks from within your network.

Re:small set of ips

The blocks are:
205.158.110.0/24
216.129.105.0/24

http://cnet.robtex.com/205.158.110.html
http://cnet.robtex.com/216.129.105.html

Re:small set of ips

[msauve]

If you click through to the SEC report:

-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

Re:small set of ips

[cluedweasel]

According to the article, these non-Barracuda domains fall within those blocks. mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ... frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc. utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc. everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc. mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.

Re:small set of ips

[54mc]

Line breaks, do you have them?

Fixed for you

According to the article, these non-Barracuda domains fall within those blocks.

mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ...
frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.
utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.
everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.
mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc
outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting

Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.

Security apliances growing obsolete

Security appliances are a joke. Overpriced slabs sold by slimy salesmen to clueless PHBs to offer "security" in a box.
Security doesn't come in a box. It comes with process, documentation, and vigilance. Things alien to incompetent management.
It's no surprise that these digital snake oil machines are riddled with security holes themselves.

Anyway, these things are mostly obsolete. Why spend a fortune when your infrastructure is all VMs hosted across multiple data centers in many distinct geographic locations.

You still host your own servers? Why?

Re:Security apliances growing obsolete

[cluedweasel]

You still host your own servers? Why?

Because our local Internet provider is an unreliable, capped mess with no real competition in the business market? Regulation also plays a part. Our industry is heavily regulated. Hosting our infrastructure is possible, but expensive. Senior management also have unrealistic uptime expectations. All in all, at this time it's more economical to keep our IT infrastructure in house.

Re:Security apliances growing obsolete

Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.

Re:Security apliances growing obsolete

[Charliemopps]

And in my case, we ARE the ISP... so who are we supposed to host with exactly? lol

Re:Security apliances growing obsolete

[Obfuscant]

And in my case, we ARE the ISP... so who are we supposed to host with exactly? lol

Google. That's what my local ISP just did -- handed Google all the account data and stored email and let them do all the email processing.

It was a wonderful experience. I found email on Google Mail that had been deleted from my ISP for almost two years. Since anything older than 6 months is now considered abandoned and available to the government upon request, they basically gave Google 18 months of free data to hand over to the feds. And two years of data for Google to helpfully index for me (and whatever other use they want to make of it).

And I just got my latest ISP bill. Anyone want to guess if the charges went down, now that they aren't doing anything more than shilling for Google services?

Re:Security apliances growing obsolete

[Obfuscant]

Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.

ISPs don't care about security as long as it isn't their systems. They care about getting phone calls for support when their data center goes offline due to a power failure or other event.

Someone having access to your email costs them nothing. Paying people to answer the phones costs them a lot. So they do like my ISP did and hand the job over to Google. They gave the "failed data center" excuse. Security obviously wasn't on their mind, since they handed all the archived email from their users, and all the usernames and passwords with it, over to a company that makes its money from indexing and scanning and selling data.

We're getting an "enhanced internet experience" in return. Kind of like calling prison rape an "enhanced incarceration experience". Not quite as physically demanding, but close. Trying to get Google Mail to actually delete something is a physically frustrating experience all in itself.

Re:Security apliances growing obsolete

[tibit]

If you need to triple your capacity in a week, there's probably a whole bunch of people who didn't do their jobs properly :)

Re:Security apliances growing obsolete

[sandytaru]

One of our clients found this out the hard way. They switched to a cloud based app, and even with a fiber connection they still have a lot of slowness and downtime. Why? Because the cloud provider was too damn greedy and signed too many clients up at once, and they just don't have the infrastructure on THEIR end to handle it. We're in negotiations to try to get a locally hosted version of the app, if it is at all possible, so we don't get unhappy emails every five minutes that the cloud app is being "slow."

Re:Security apliances growing obsolete

[tom229]

It wouldn't be a normal day of browsing slashdot without seeing the ubiquitous "cloud is the answer to everything" post.

Hosting services, software, and whole environments elsewhere is not a new solution, it just has a new name probably coined by a room full of technical illiterates looking at a visio network diagram.

'The cloud' has pros and cons like it always has, and always will. The primary downfall is of course a loss of control and accountability for your own systems. If you determine the benefits of hosting elsewhere outweigh this as well as the many other downfalls associated with offsite hosting, then do it. But the cloud is not, and never will be, the answer to everything.

OPENVPN

[CajunArson]

Live it, love it, use it (oh and it has commercial support too so it's not just a toy). http://openvpn.net/

Re:OPENVPN

SSLVPN =! Browser Based SSL VPN... There's no opensouorce Browser based SSL VPN (anymore, baracuda's SSLVPN was originally SSLExplorer...)

Re:OPENVPN

[shaiay]

Does openvpn support certificate/public key based authentication?

Re:OPENVPN

[CajunArson]

You could say that. In fact, it requires certificates & PKI to work. You can be a self-signing CA if you want, so there's no need to deal with Verisign/etc. if you don't want to. OpenVPN links to utilities that make it manageable to setup the CA and generate certificates for end users.

Re:OPENVPN

[bill_mcgonigle]

You could say that. In fact, it requires certificates & PKI to work.

You can still use shared keys if you want to avoid the CA, but you lose some features when you do that (like push options).

And, yeah, it's supported public key exchange for, what, 8 years?

Re:OPENVPN

[bill_mcgonigle]

There's no opensouorce Browser based SSL VPN

Does OpenVPN ALS not qualify?

Re:OPENVPN

[EmagGeek]

Considering the newest files for that project are from December 2008, I would say "probably not."

Re:OPENVPN

[CajunArson]

Interesting, I didn't even know it had shared-key support. I think they prefer a PKI setup and I didn't delve into all of the options in that much detail. Good call.

Cannot be by accident

[Animats]

"The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances."

That cannot have happened by accident. Barracuda Networks should be charged with material support of terrorism for this.

Re:Cannot be by accident

They can't be charged by the US government it is the US government that asked them to put those backdoors in there! (I'm dead serious BTW).

Re:Cannot be by accident

[Skiron]

If you buy any of their products, you agree to the T&C et al. Doesn't matter if they do not say what they don't say (you get the drift) if their products have back doors - that is your fault. It is interesting in the security report that they state the back door accounts that are 'hard set' will NOT be removed.

A major flaw

[Synerg1y]

Firmware updates = downtime. Required downtime rather than optional... not good.

Re:A major flaw

[characterZer0]

Firmware updates = downtime

Only if you do not have rudundant systems. Not good.

Re:A major flaw

What they call a "firmware update" is incorrect, from what I can tell this just patches the file that contains the allowed SSH ips and nothing more. I have one of the effected devices which does NOT have SSH enabled from outside and it downloaded and installed the "security update" on its own during its usual hourly update cycle.

Re:A major flaw

[Scutter]

Actually, according to the tech note, it's a definition update, not a firmware update. Most Barracuda devices install definition updates automatically and with zero downtime.

Re:A major flaw

[Synerg1y]

How many people do you know that have "redundant" firewalls?

That's like saying install 2 switches for every 1 and run twice the cabling and install twice the NIC cards. Not good.

It's a definition update though, so no downtime required.

Re:A major flaw

[characterZer0]

I have run dual Cisco PIXes, one as a hot standby. Can't the Barracudas do the same thing?

Re:A major flaw

[hesiod]

Correct: we have one of these, so I immediately went to perform the update just to find it was already done.

Re:A major flaw

[LurkerXXX]

Everyone I know who runs CARP. Redundancy is good if you care about reliability/availability.

Re:A major flaw

[jregel]

Um, the network I manage has dual Cisco ASA firewalls in an active/standby configuration.

And we install 2 switches for every 1.

If you're running business critical servers without that redundancy, you're exposing yourself to a single point of failure.

Re:A major flaw

[Zaiff+Urgulbunger]

Firmware updates = downtime. Required downtime rather than optional... not good.

On the up-side, you can definitely do this remotely! :D

Facebook security hole

They also seem to have a security hole that keeps suggesting that I like Barracuda Networks on Facebook.

No Barracudas in the fish tank...

[BoRegardless]

They jump out & bite you!

Disreputable

[ZorinLynx]

This company tried to charge my friend's employer for over a year of time during which the product wasn't being used when they tried to reactivate it after it had been in a storage closet for that time.

They wouldn't budge, either, and my friends company had to find an alternate solution.

So yeah, not doing business with them anytime soon.

Re:Disreputable

[ZorinLynx]

This is rather ridiculous. The company was pretty much shut down during the time the hardware was not in use. Why should you have to pay for a subscription during a period the hardware wasn't in use?

Imagine if Comcast tried to do this. "Yeah, you're coming back to us after two years but to use the hardware you bought you have to pay two years of back-subscription."

If you want to deny eligibility for a replacement, or base it on years of subscription, rather than ownership, it would make more sense than holding the customer hostage and unable to start using your product! You might as well put up a big sign that says "Please go to our competitor, we don't want your business."

Apologies to Heart...

[MarkGriz]

You lying so low in the weeds
I bet you gonna ambush me
You'd have me down on my knees
Now wouldn't you, Barracuda?

Re:News Flash

[s1lverl0rd]

The point is that a well known security product by a security vendor has a problem like this. This is not the kind of thing you buy off eBay from some shady guy in Ukraine or something. Barracuda sells products that will set you back thousands of bucks a year. You simply don't expect cheap tricks such as these for that kind of money. Hence newsworthy, IMHO.

Also, if you read the report, or the tech note even, it hints that the underlying issue (backdoor accounts) won't actually be fixed: "According to Barracuda Networks these accounts are essential for customer support and will not be removed."

Re: That's what you get

[Yert]

I hate to burst your bubble, but only one of the co-founders doesn't have a degree, according to the company management page -https://www.barracudanetworks.com/company/management