Forgot your password?
typodupeerror
Networking Security Upgrades Hardware IT

Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates 88

Posted by timothy
from the unless-you-like-them-that-way dept.
Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.
This discussion has been archived. No new comments can be posted.

Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

Comments Filter:
  • by Anonymous Coward on Thursday January 24, 2013 @01:02PM (#42681717)

    SEC Consult Vulnerability Lab Security Advisory - 20130124-0 [sec-consult.com]

    title: Critical SSH Backdoor in multiple Barracuda Networks Products

    vulnerable products: Barracuda Spam and Virus Firewall
                                              Barracuda Web Filter
                                              Barracuda Message Archiver
                                              Barracuda Web Application Firewall
                                              Barracuda Link Balancer
                                              Barracuda Load Balancer
                                              Barracuda SSL VPN
                                              (all including their respective virtual "Vx" versions)

      vulnerable version: all versions Security Definition 2.0.5
                fixed version: Security Definition 2.0.5
                impact: Critical
                homepage: https://www.barracudanetworks.com/
                found: 2012-11-20
                by: S. Viehbck
                SEC Consult Vulnerability Lab
                https://www.sec-consult.com

  • Re:small set of ips (Score:3, Informative)

    by Anonymous Coward on Thursday January 24, 2013 @01:04PM (#42681749)

    The blocks are:
    205.158.110.0/24
    216.129.105.0/24

    http://cnet.robtex.com/205.158.110.html
    http://cnet.robtex.com/216.129.105.html

  • OPENVPN (Score:4, Informative)

    by CajunArson (465943) on Thursday January 24, 2013 @01:05PM (#42681757) Journal

    Live it, love it, use it (oh and it has commercial support too so it's not just a toy). http://openvpn.net/ [openvpn.net]

  • Re:small set of ips (Score:4, Informative)

    by msauve (701917) on Thursday January 24, 2013 @01:12PM (#42681857)
    If you click through to the SEC report:

    -A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

  • Re:small set of ips (Score:5, Informative)

    by cluedweasel (832743) on Thursday January 24, 2013 @01:21PM (#42681975) Homepage
    According to the article, these non-Barracuda domains fall within those blocks. mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ... frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc. utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc. everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc. mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.
  • Re:A major flaw (Score:2, Informative)

    by Anonymous Coward on Thursday January 24, 2013 @01:33PM (#42682107)

    What they call a "firmware update" is incorrect, from what I can tell this just patches the file that contains the allowed SSH ips and nothing more. I have one of the effected devices which does NOT have SSH enabled from outside and it downloaded and installed the "security update" on its own during its usual hourly update cycle.

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...