December 18, 2014

SSH backdoor found in Barracuda Networks products

Barracuda-networks-logo(LiveHacking.Com) – Several different products from Barracuda Networks, including its Spam and Virus Firewall, all have secret backdoors which under the right circumstances can give hackers administrative access to the devices.

The revelations comes from Austrian security company SEC Consult Vulnerability Lab, which reports that the undocumented accounts can not be disabled and can be used to gain remote access to the appliance via SSH.

The following products are affected: Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN, CudaTel. The Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are not affected.

In an attempt to limit access to the backdoor, Barracude added network rules which only allow access to SSH from certain IP addresses. Internal connections from 192.168.200.0/24 and 192.168.10.0/24 are allowed while public access is granted from public IP addresses in the 205.158.110.0/24 and 216.129.105.0/24 ranges. The problem is that only some of those addresses are owned and controlled by Barracuda, the others are not.

Barracuda were informed of the vulnerabilities at the end of November. Stefan Viehböck of SEC Consult Vulnerability Lab reported two issues affecting Barracuda devices where “an attacker could use to gain unauthorized access to the appliance.”

“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit,” said Barracuda in an advisory.

Barracuda vice president for product management Steve Pao spoke to The Register and said that the accounts are used for support purposes but admitted that the setup is flawed. Barracuda will also pay an “unspecified bounty” for finding the flaw.

Barracuda recommends that its customers update the Security Definitions on their devices to v2.0.5 immediately. It added that “while this update drastically minimizes potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired.”

Vulnerability Found in How Windows 7 Handles Malformed DHCPv6 Packets

(LiveHacking.Com) – Barracuda Labs has discovered a vulnerability in the way the DHCPv6 components of Windows handle malformed packets.

Upon the reception of a “malformed” DHCPv6 Reply packet, the RPC server reports a critical error 0xc0000374 and then becomes unresponsive. The results is that a type of denial-of-service attack could be launched and prevent other machines from connecting to the network.

To exploit this vulnerability, an attacker would need to intercept DHCPv6 traffic and send a modified reply with a malformed Domain Search List option. On reception of this malformed packet, RPC on the remote machine would fail.

According to the advisory issued by Barracuda, the vulnerability affects at least Microsoft Windows 7 Ultimate SP1 32 bit & 64 bit and that it is very likely that other versions of Windows 7 (and maybe earlier) are affected.