Multiple Barracuda appliances -- including its firewall, SSL VPN server, and load balancer devices – have security flaws that can be exploited by attackers to remotely access and gain shell-level access to the appliances.
In particular, SEC Consult said it had found multiple backdoor accounts -- hardcoded usernames and passwords -- built into some Barracuda products, including an account called "product," for which it had been able to crack the password and then gain full access to the system. That access allowed it to alter a MySQL database on the device "to add new users with administrative privileges to the appliance configuration," according to SEC Consult's security advisory. "Furthermore it was possible to enable diagnostic/debugging functionality which could be used to gain root access on the system (confirmed in Barracuda SSL VPN)." In other words, outsiders could remotely access and authenticate to a Barracuda SSL VPN, using SSH.
[ In other vendor security woes, Sony pays for PlayStation data breach. Read Sony Slapped With $390,000 U.K. Data Breach Fine. ]
SEC Consult coordinated the release of its vulnerability warning with Barracuda Networks, which confirmed the vulnerabilities Wednesday, just two months after first being notified of the flaws, which for a vendor is a relatively speedy turnaround. In the case of the SSL VPN vulnerability, "our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-[privileged] account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit," Barracuda Networks said in a statement.
Barracuda confirmed that the backdoor vulnerabilities are present on the following Barracuda-named products: Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN. "All Barracuda Networks appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are potentially affected," said the company's security advisory.
Barracuda recommended that all customers "immediately" update their Barracuda security definitions to v2.0.5, ensure the products' security definitions are set to "on," and check that they're using the most recent firmware. All vulnerable Internet-facing products using a previous security definitions version are at risk of being exploited.
But Barracuda's security advisory suggested that the new security definitions -- used by the devices' firmware -- wouldn't fully mitigate the SSH access threat on the SSL VPN server, noting that "while this update drastically minimizes potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired." In fact, full mitigation requires disabling all SSH access, by disabling the SSH daemon built on the devices.
According to SEC Consult, however, the security definitions update still leaves three accounts on all devices -- cluster, remote, root -- which Barracuda told it are "essential for customer support and will not be removed." But SEC Consult warned that the password for the "root" account can be cracked, if it isn't sufficiently strong, and noted that although only Barracuda possesses the private key for the passwords for the "cluster" and "remote" accounts, this is a security problem. "This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks," said SEC Consult. "In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them."
According to SEC Consult, one workaround is to "place the appliances behind a firewall and block any incoming traffic (local and Internet) to port 22," to block outside attempts to exploit the hardwired accounts.
SEC Consult has so far only detailed the Barracuda device vulnerabilities and related proof-of-concept exploit code in general terms, but promised to release full details soon. "URLs and other exploit code (passwords) have been removed from this advisory," said the company's warning. "A detailed advisory will be released within a month including the omitted information."
Security isn't necessarily the first thing people think of when they consider enterprise directories. But directories can be used in a number of ways to tighten and extend your organization's security. A Guide To Security And Enterprise Directories report, we examine enterprise directories—through the lens of Microsoft Active Directory -- and their potential as a solution for a wide array of security initiatives. (Free registration required.)