(LiveHacking.Com) – Several different products from Barracuda Networks, including its Spam and Virus Firewall, all have secret backdoors which under the right circumstances can give hackers administrative access to the devices.
The revelations comes from Austrian security company SEC Consult Vulnerability Lab, which reports that the undocumented accounts can not be disabled and can be used to gain remote access to the appliance via SSH.
The following products are affected: Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN, CudaTel. The Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are not affected.
In an attempt to limit access to the backdoor, Barracude added network rules which only allow access to SSH from certain IP addresses. Internal connections from 192.168.200.0/24 and 192.168.10.0/24 are allowed while public access is granted from public IP addresses in the 220.127.116.11/24 and 18.104.22.168/24 ranges. The problem is that only some of those addresses are owned and controlled by Barracuda, the others are not.
Barracuda were informed of the vulnerabilities at the end of November. Stefan Viehböck of SEC Consult Vulnerability Lab reported two issues affecting Barracuda devices where “an attacker could use to gain unauthorized access to the appliance.”
“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit,” said Barracuda in an advisory.
Barracuda vice president for product management Steve Pao spoke to The Register and said that the accounts are used for support purposes but admitted that the setup is flawed. Barracuda will also pay an “unspecified bounty” for finding the flaw.
Barracuda recommends that its customers update the Security Definitions on their devices to v2.0.5 immediately. It added that “while this update drastically minimizes potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired.”