Several undocumented remote administration backdoors were discovered in a number of Barracuda Networks products that could provide not only the company with access to the affected appliances, but also provide that access to a number of other outside entities.
Barracuda said in a statement it pushed a new set of security definitions to all of its appliances and recommends customers update their definitions to v2.0.5 immediately.
The backdoors were discovered by an Austrian security company, SEC Consult Vulnerability Lab, in November; details were not disclosed until yesterday when Barracuda responded with its mitigations.
Stefan Viehböck said the backdoor accounts enabled access to Internet-facing Barracuda appliances remotely via SSH. Only IP addresses within a whitelisted public and private range, which includes servers hosted by Barracuda and a number of others outside the company, were able to access the appliances. Outsiders, in some instances, could also set their local IP address on a local network to one within in the private range and be able to access SSH.
“A breach of any server in the whitelisted ranges enables an attack against all affected Barracuda Networks appliances on the web,” Viehböck said in his company’s advisory. “This functionality is entirely undocumented and can only be disabled via a hidden ‘expert options’ dialog.”
Barracuda said its Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Web Application Firewall, Barracuda Message Archiver, Barracuda Link Balancer, Barracuda Load Balancer and Barracuda SSL VPN are affected. The company noted that its Barracuda NG Firewall, Barracuda Firewall and Barracuda Backup were not affected, and neither were any of the aforementioned appliances if they were running behind a firewall.
Viehböck said he was able to crack the password hashes on a number of backdoor accounts and in one case was able to get in with “product” as a user name and no password.
“It was confirmed that this user can access the MySQL database (root@localhost with no password) to add new users with administrative privileges to the appliance configuration,” he wrote. “Furthermore, it was possible to enable diagnostic/debugging functionality which could be used to gain root access on the system.”
He was able to confirm this on the Barracuda SSL VPN; Barracuda confirmed the vulnerabilities on the other products noted earlier.
Viehböck also noted that timestamps on the iptables suggest the backdoors have likely been in place since 2003. Barracuda said it was not aware of any intrusions using its support tools for malicious purposes.
Barracuda also addressed another vulnerability discovered by Viehböck in the Barracuda SSL VPN appliance where an attacker could gain unauthenticated access to configuration files and get database dumps from version 126.96.36.199 of the appliance.