Researcher says backdoors are open in many Barracuda boxes. “For support tunnels” says Barracuda
Given the hysteria in the US over unproven backdoors in gear from Chinese vendors like Huawei, it may come as a shock that one of its own purposefully places them in network security boxes.
Stefan Viehböck of SEC Consult Vulnerability Lab found backdoors in almost all Barracuda appliances, reporting them to the vendor back in November. Boxes were preconfigured to accept secure shell (SSH) connections from a set of pre-defined user accounts from a list of IP ranges, according to Viehböck.
There were two security problems with this. First, the passwords needed to access those user accounts were not difficult to find or crack, Viehböck said. He claimed to have cracked a number of passwords relating to backdoor accounts called “product”, “support”, “ca” and “websupport”. For the “product” account, he was able to get a shell to run on the appliance and could access the MySQL database to add new users with administrative privileges to the appliance configuration.
Barracuda had created those accounts to update products or provide support. But the researcher found a further problem. He noted that the appliance network filtering on Barracuda kit was allowing access via SSH from those user accounts only if they came from whitelisted IP ranges, both public and private.
That would be acceptable if it was only Barracuda sitting on the public IP range. But here’s where things get sticky: “Public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities – all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet.” That means anyone in the public IP range could have been spying on users of Barracuda gear, which includes major corporations and government entities.
Affected products include Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer and Barracuda SSL VPN.
“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses,” Barracuda noted in its advisory, saying the threat was only of “medium” severity.
“The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit.”
Barracuda Networks’ vice president for product management Steve Pao sent across the following statement:
“The specific discovery was related to access from the default limited set of IP addresses used by the system to initiate remote support tunnels to Barracuda Technical Support. We have released a security definition to existing Barracuda Networks appliances that minimises potential attack vectors. Individual customers should contact Barracuda Networks Technical Support if they need more information. As we do with all issues reported through our “Bug Bounty” programme, we have acknowledged the SEC Consulting’s reporting of the issues in both the release notes with our security definition and on the Tech Alerts section of our website.”
This article appeared on TechWeekEurope. Click here for the full story.