Barracuda Networks confirms exploitable backdoors in its appliances
Posted on 24 January 2013.
Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device.


The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances.

"Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit," Barracuda explained via a tech alert published on Wednesday.

They advise customers using any of the aforementioned devices to update their security definitions to v2.0.5 immediately.

Still, according to Stefan Viehbock, the SEC Consult Vulnerability Lab researcher that discovered the vulnerabilities back in December 2012, the patch hasn't handled the one that allows both servers run by Barracuda Networks and those from other, unaffiliated entities to access SSH on all affected Barracuda Networks appliances exposed to the Internet.

If any of these servers get compromised, an attack against all affected Barracuda Networks appliances on the web is possible, so he offered a workaround for the problem in the security advisory he released about this issue.

Updating security definitions to v2.0.5 resolves also the authentication bypass vulnerability that affects the most recent version of Barracuda SSL VPN (v2.2.2.203), and which can be misused to gain unauthenticated access to the device and disable access restrictions for the "API" functionality, consequently allowing the attacker to do serious damage by downloading databases, configuration files, changing admin passwords and more.






Spotlight

How to keep your contactless payments secure

Posted on 19 September 2014.  |  Fraudsters can pickpocket a victimís financial data using low-cost electronics that can fit into a rucksack. Here are the top security threats you should be aware of if youíre using a RF-based card, along with our top safety tips to keep your payments secure.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //