Stefan Viehböck, a security researcher at SEC Consult Vulnerability Lab discovered the vulnerabilities on November 20, 2012. A timeline provided in the SEC Consult advisory shows that it worked with Barracuda, first notifying the company of the vulnerabilities on November 29, 2012 followed by a co-ordinated disclosure this week – Barracuda released its alert and Security Definitions update to 2.0.5 on Wednesday while SEC Consult published its advisory on Thursday.
The problem is the existence of several undocumented admin accounts on the affected appliances. These can be accessed both from the device console and also externally via SSH. SSH access is limited to a whitelist of IP addresses, both public and private. “The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities - all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet,” warns SEC Consult. “A breach of any server in the whitelisted ranges enables an attack against all affected Barracuda Networks appliances on the web.”
Barracuda’s solution is to change the sshd config to allow access to the accounts only via a public/private key (for two of the accounts) and password protected login to a third. SEC Consult notes that the remote access via SSH remains, and argues that it is not an overly impresive solution. “This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks.”
Viehböck continues, “In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them.”
SEC Consult’s recommendation is to place the appliances behind a firewall and block any incoming traffic to port 22; but it also notes, “Barracuda Networks offers an expert option that disables the SSH daemon. For assistance contact the Barracuda Networks Support.”
Viehböck separately discovered vulnerabilities in the Barracuda SSL VPN that allowed unauthenticated access to the Java system properties and other critical API functions. This has been fixed in the latest Security Definitions 2.0.5.
Steve Pao, VP Product Management at Barracuda Networks, responded to our request for comment:
"The specific discovery was related to access from the default limited set of IP addresses used by the system to initiate remote support tunnels to Barracuda Technical Support. We have released a security definition to existing Barracuda Networks appliances that minimises potential attack vectors. Individual customers should contact Barracuda Networks Technical Support if they need more information. As we do with all issues reported through our "Bug Bounty" programme, we have acknowledged the SEC Consulting's reporting of the issues in both the release notes with our security definition and on the Tech Alerts section of our website."
| Barracuda Networks Comment |
|
Steve Pao, VP Product Management at Barracuda Networks, responded to our request for comment: "The specific discovery was related to access from the default limited set of IP addresses used by the system to initiate remote support tunnels to Barracuda Technical Support. We have released a security definition to existing Barracuda Networks appliances that minimises potential attack vectors. Individual customers should contact Barracuda Networks Technical Support if they need more information. As we do with all issues reported through our "Bug Bounty" programme, we have acknowledged the SEC Consulting's reporting of the issues in both the release notes with our security definition and on the Tech Alerts section of our website." |