Forgot your password?
typodupeerror
Networking Security Upgrades Hardware IT

Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates 88

Posted by timothy
from the unless-you-like-them-that-way dept.
Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.
This discussion has been archived. No new comments can be posted.

Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

Comments Filter:
  • by Marrow (195242) on Thursday January 24, 2013 @01:58PM (#42681669)

    SSH backdoors into security appliances? Really?

  • by Anonymous Coward

    Barracuda says they need the accounts. They will remain after the update.

  • by Anonymous Coward on Thursday January 24, 2013 @02:02PM (#42681717)

    SEC Consult Vulnerability Lab Security Advisory - 20130124-0 [sec-consult.com]

    title: Critical SSH Backdoor in multiple Barracuda Networks Products

    vulnerable products: Barracuda Spam and Virus Firewall
                                              Barracuda Web Filter
                                              Barracuda Message Archiver
                                              Barracuda Web Application Firewall
                                              Barracuda Link Balancer
                                              Barracuda Load Balancer
                                              Barracuda SSL VPN
                                              (all including their respective virtual "Vx" versions)

      vulnerable version: all versions Security Definition 2.0.5
                fixed version: Security Definition 2.0.5
                impact: Critical
                homepage: https://www.barracudanetworks.com/
                found: 2012-11-20
                by: S. Viehbck
                SEC Consult Vulnerability Lab
                https://www.sec-consult.com

  • So the tech note mentions that this is only accessible from a small subset of ips...WHAT IPS!!!!!!

    At least it doesn't sound like a zero day so we have time to get it patched. Since we block the management ips from our firewall it sounds like this would only effect attacks from within your network.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The blocks are:
      205.158.110.0/24
      216.129.105.0/24

      http://cnet.robtex.com/205.158.110.html
      http://cnet.robtex.com/216.129.105.html

      • Re:small set of ips (Score:5, Informative)

        by cluedweasel (832743) on Thursday January 24, 2013 @02:21PM (#42681975) Homepage
        According to the article, these non-Barracuda domains fall within those blocks. mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ... frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc. utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc. everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc. mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.
        • by X0563511 (793323)

          Line breaks, do you have them?

          • by Skapare (16644)

            You can always add your own. I did. And no, I am not sharing my line breaks today.

          • by 54mc (897170)

            Line breaks, do you have them?

            Fixed for you

            According to the article, these non-Barracuda domains fall within those blocks.

            mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ...
            frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
            static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.
            utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.
            everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.
            mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc
            outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting

            Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.

    • Re:small set of ips (Score:4, Informative)

      by msauve (701917) on Thursday January 24, 2013 @02:12PM (#42681857)
      If you click through to the SEC report:

      -A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
      -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
      -A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
      -A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

  • by Anonymous Coward on Thursday January 24, 2013 @02:04PM (#42681739)

    Security appliances are a joke. Overpriced slabs sold by slimy salesmen to clueless PHBs to offer "security" in a box.
    Security doesn't come in a box. It comes with process, documentation, and vigilance. Things alien to incompetent management.
    It's no surprise that these digital snake oil machines are riddled with security holes themselves.

    Anyway, these things are mostly obsolete. Why spend a fortune when your infrastructure is all VMs hosted across multiple data centers in many distinct geographic locations.

    You still host your own servers? Why?

    • You still host your own servers? Why?

      Because our local Internet provider is an unreliable, capped mess with no real competition in the business market? Regulation also plays a part. Our industry is heavily regulated. Hosting our infrastructure is possible, but expensive. Senior management also have unrealistic uptime expectations. All in all, at this time it's more economical to keep our IT infrastructure in house.

      • And in my case, we ARE the ISP... so who are we supposed to host with exactly? lol

        • by Obfuscant (592200)

          And in my case, we ARE the ISP... so who are we supposed to host with exactly? lol

          Google. That's what my local ISP just did -- handed Google all the account data and stored email and let them do all the email processing.

          It was a wonderful experience. I found email on Google Mail that had been deleted from my ISP for almost two years. Since anything older than 6 months is now considered abandoned and available to the government upon request, they basically gave Google 18 months of free data to hand over to the feds. And two years of data for Google to helpfully index for me (and whateve

      • One of our clients found this out the hard way. They switched to a cloud based app, and even with a fiber connection they still have a lot of slowness and downtime. Why? Because the cloud provider was too damn greedy and signed too many clients up at once, and they just don't have the infrastructure on THEIR end to handle it. We're in negotiations to try to get a locally hosted version of the app, if it is at all possible, so we don't get unhappy emails every five minutes that the cloud app is being "slow."
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.

      • by Obfuscant (592200)

        Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.

        ISPs don't care about security as long as it isn't their systems. They care about getting phone calls for support when their data center goes offline due to a power failure or other event.

        Someone having access to your email costs them nothing. Paying people to answer the phones costs them a lot. So they do like my ISP did and hand the job over to Google. They gave the "failed data center" excuse. Security obviously wasn't on their mind, since they handed all the archived email from their users, and all th

    • by tom229 (1640685)
      It wouldn't be a normal day of browsing slashdot without seeing the ubiquitous "cloud is the answer to everything" post.

      Hosting services, software, and whole environments elsewhere is not a new solution, it just has a new name probably coined by a room full of technical illiterates looking at a visio network diagram.

      'The cloud' has pros and cons like it always has, and always will. The primary downfall is of course a loss of control and accountability for your own systems. If you determine the benefit
  • OPENVPN (Score:4, Informative)

    by CajunArson (465943) on Thursday January 24, 2013 @02:05PM (#42681757) Journal

    Live it, love it, use it (oh and it has commercial support too so it's not just a toy). http://openvpn.net/ [openvpn.net]

    • by Anonymous Coward

      SSLVPN =! Browser Based SSL VPN... There's no opensouorce Browser based SSL VPN (anymore, baracuda's SSLVPN was originally SSLExplorer...)

    • by shaiay (21101)
      Does openvpn support certificate/public key based authentication?
      • You could say that. In fact, it requires certificates & PKI to work. You can be a self-signing CA if you want, so there's no need to deal with Verisign/etc. if you don't want to. OpenVPN links to utilities that make it manageable to setup the CA and generate certificates for end users.

        • You could say that. In fact, it requires certificates & PKI to work.

          You can still use shared keys if you want to avoid the CA, but you lose some features when you do that (like push options).

          And, yeah, it's supported public key exchange for, what, 8 years?

          • Interesting, I didn't even know it had shared-key support. I think they prefer a PKI setup and I didn't delve into all of the options in that much detail. Good call.

  • "The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances."

    That cannot have happened by accident. Barracuda Networks should be charged with material support of terrorism for this.

    • by Anonymous Coward

      They can't be charged by the US government it is the US government that asked them to put those backdoors in there! (I'm dead serious BTW).

    • by Skiron (735617)
      If you buy any of their products, you agree to the T&C et al. Doesn't matter if they do not say what they don't say (you get the drift) if their products have back doors - that is your fault. It is interesting in the security report that they state the back door accounts that are 'hard set' will NOT be removed.
  • Firmware updates = downtime. Required downtime rather than optional... not good.
    • Re:A major flaw (Score:4, Interesting)

      by characterZer0 (138196) on Thursday January 24, 2013 @02:20PM (#42681963)

      Firmware updates = downtime

      Only if you do not have rudundant systems. Not good.

      • by Synerg1y (2169962)
        How many people do you know that have "redundant" firewalls?

        That's like saying install 2 switches for every 1 and run twice the cabling and install twice the NIC cards. Not good.

        It's a definition update though, so no downtime required.
        • I have run dual Cisco PIXes, one as a hot standby. Can't the Barracudas do the same thing?

        • by LurkerXXX (667952)

          Everyone I know who runs CARP [openbsd.org]. Redundancy is good if you care about reliability/availability.

        • by jregel (39009)

          Um, the network I manage has dual Cisco ASA firewalls in an active/standby configuration.

          And we install 2 switches for every 1.

          If you're running business critical servers without that redundancy, you're exposing yourself to a single point of failure.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      What they call a "firmware update" is incorrect, from what I can tell this just patches the file that contains the allowed SSH ips and nothing more. I have one of the effected devices which does NOT have SSH enabled from outside and it downloaded and installed the "security update" on its own during its usual hourly update cycle.

      • by hesiod (111176)

        Correct: we have one of these, so I immediately went to perform the update just to find it was already done.

    • by Scutter (18425)

      Actually, according to the tech note, it's a definition update, not a firmware update. Most Barracuda devices install definition updates automatically and with zero downtime.

    • Firmware updates = downtime. Required downtime rather than optional... not good.

      On the up-side, you can definitely do this remotely! :D

  • by Anonymous Coward

    They also seem to have a security hole that keeps suggesting that I like Barracuda Networks on Facebook.

  • Well known & popular product ships with security issues- company fixes said issues. Srsly... /.????
    • The point is that a well known security product by a security vendor has a problem like this. This is not the kind of thing you buy off eBay from some shady guy in Ukraine or something. Barracuda sells products that will set you back thousands of bucks a year. You simply don't expect cheap tricks such as these for that kind of money. Hence newsworthy, IMHO.

      Also, if you read the report, or the tech note even, it hints that the underlying issue (backdoor accounts) won't actually be fixed: "According to Barrac

  • AAaaaaaaaaaaaaaaaahhhhh.....BARRACUDA!!!! :oP
  • They jump out & bite you!

  • This company tried to charge my friend's employer for over a year of time during which the product wasn't being used when they tried to reactivate it after it had been in a storage closet for that time.

    They wouldn't budge, either, and my friends company had to find an alternate solution.

    So yeah, not doing business with them anytime soon.

I am the wandering glitch -- catch me if you can.

Working...