Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

← Back to Stories (view on slashdot.org)

Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

Posted by timothy on Thursday January 24, 2013 @05:51AM from the unless-you-like-them-that-way dept.

Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.

17 of 88 comments (clear)

Min score:

Reason:

Sort:

How about a note apologizing and closing shop by Marrow · 2013-01-24 05:58 · Score: 3, Insightful

SSH backdoors into security appliances? Really?
1. Re:How about a note apologizing and closing shop by mvdwege · 2013-01-24 06:41 · Score: 4, Insightful
  
  This is Barracuda, who were still doing accept-then-bounce when even Microsoft had changed that to no longer being the default in Exchange.
  
  --
  "I know I will be modded down for this": where's the option '-1, Asking for it'?
2. Re:How about a note apologizing and closing shop by gandhi_2 · 2013-01-24 07:36 · Score: 5, Funny
  
  Shoot. It would be nice if Windows had an SSH front door.
  
  --
  THL phish sticks
Original source for Advisory by Anonymous Coward · 2013-01-24 06:02 · Score: 5, Informative

SEC Consult Vulnerability Lab Security Advisory - 20130124-0
title: Critical SSH Backdoor in multiple Barracuda Networks Products
vulnerable products: Barracuda Spam and Virus Firewall
Barracuda Web Filter
Barracuda Message Archiver
Barracuda Web Application Firewall
Barracuda Link Balancer
Barracuda Load Balancer
Barracuda SSL VPN
(all including their respective virtual "Vx" versions)
vulnerable version: all versions Security Definition 2.0.5
fixed version: Security Definition 2.0.5
impact: Critical
homepage: https://www.barracudanetworks.com/
found: 2012-11-20
by: S. Viehbck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
Security apliances growing obsolete by Anonymous Coward · 2013-01-24 06:04 · Score: 5, Insightful

Security appliances are a joke. Overpriced slabs sold by slimy salesmen to clueless PHBs to offer "security" in a box.
Security doesn't come in a box. It comes with process, documentation, and vigilance. Things alien to incompetent management.
It's no surprise that these digital snake oil machines are riddled with security holes themselves.
Anyway, these things are mostly obsolete. Why spend a fortune when your infrastructure is all VMs hosted across multiple data centers in many distinct geographic locations.
You still host your own servers? Why?
1. Re:Security apliances growing obsolete by Anonymous Coward · 2013-01-24 06:25 · Score: 3, Insightful
  
  Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.
2. Re:Security apliances growing obsolete by Obfuscant · 2013-01-24 07:00 · Score: 2
  
  And in my case, we ARE the ISP... so who are we supposed to host with exactly? lol
  Google. That's what my local ISP just did -- handed Google all the account data and stored email and let them do all the email processing.
  It was a wonderful experience. I found email on Google Mail that had been deleted from my ISP for almost two years. Since anything older than 6 months is now considered abandoned and available to the government upon request, they basically gave Google 18 months of free data to hand over to the feds. And two years of data for Google to helpfully index for me (and whatever other use they want to make of it).
  And I just got my latest ISP bill. Anyone want to guess if the charges went down, now that they aren't doing anything more than shilling for Google services?
3. Re:Security apliances growing obsolete by tibit · 2013-01-24 07:42 · Score: 2
  
  If you need to triple your capacity in a week, there's probably a whole bunch of people who didn't do their jobs properly :)
  
  --
  A successful API design takes a mixture of software design and pedagogy.
Re:small set of ips by Anonymous Coward · 2013-01-24 06:04 · Score: 3, Informative

The blocks are:
205.158.110.0/24
216.129.105.0/24
http://cnet.robtex.com/205.158.110.html
http://cnet.robtex.com/216.129.105.html
OPENVPN by CajunArson · 2013-01-24 06:05 · Score: 3, Informative

Live it, love it, use it (oh and it has commercial support too so it's not just a toy). http://openvpn.net/

--
AntiFA: An abbreviation for Anti First Amendment.
Re:small set of ips by msauve · 2013-01-24 06:12 · Score: 3, Informative

If you click through to the SEC report:

-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

--
"National Security is the chief cause of national insecurity." - Celine's First Law
Re:A major flaw by characterZer0 · 2013-01-24 06:20 · Score: 3, Interesting

Firmware updates = downtime
Only if you do not have rudundant systems. Not good.

--
Go green: turn off your refrigerator.
Re:small set of ips by cluedweasel · 2013-01-24 06:21 · Score: 4, Informative

According to the article, these non-Barracuda domains fall within those blocks. mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ... frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc. utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc. everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc. mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.
Re:A major flaw by Anonymous Coward · 2013-01-24 06:33 · Score: 2, Informative

What they call a "firmware update" is incorrect, from what I can tell this just patches the file that contains the allowed SSH ips and nothing more. I have one of the effected devices which does NOT have SSH enabled from outside and it downloaded and installed the "security update" on its own during its usual hourly update cycle.
Re:Cannot be by accident by Skiron · 2013-01-24 06:42 · Score: 2

If you buy any of their products, you agree to the T&C et al. Doesn't matter if they do not say what they don't say (you get the drift) if their products have back doors - that is your fault. It is interesting in the security report that they state the back door accounts that are 'hard set' will NOT be removed.
Re:A major flaw by characterZer0 · 2013-01-24 07:52 · Score: 2

I have run dual Cisco PIXes, one as a hot standby. Can't the Barracudas do the same thing?

--
Go green: turn off your refrigerator.
Apologies to Heart... by MarkGriz · 2013-01-24 09:17 · Score: 2

You lying so low in the weeds
I bet you gonna ambush me
You'd have me down on my knees
Now wouldn't you, Barracuda?

--
Beauty is in the eye of the beerholder.