December 21, 2014

SSH backdoor found in Barracuda Networks products

Barracuda-networks-logo(LiveHacking.Com) – Several different products from Barracuda Networks, including its Spam and Virus Firewall, all have secret backdoors which under the right circumstances can give hackers administrative access to the devices.

The revelations comes from Austrian security company SEC Consult Vulnerability Lab, which reports that the undocumented accounts can not be disabled and can be used to gain remote access to the appliance via SSH.

The following products are affected: Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN, CudaTel. The Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are not affected.

In an attempt to limit access to the backdoor, Barracude added network rules which only allow access to SSH from certain IP addresses. Internal connections from 192.168.200.0/24 and 192.168.10.0/24 are allowed while public access is granted from public IP addresses in the 205.158.110.0/24 and 216.129.105.0/24 ranges. The problem is that only some of those addresses are owned and controlled by Barracuda, the others are not.

Barracuda were informed of the vulnerabilities at the end of November. Stefan Viehböck of SEC Consult Vulnerability Lab reported two issues affecting Barracuda devices where “an attacker could use to gain unauthorized access to the appliance.”

“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit,” said Barracuda in an advisory.

Barracuda vice president for product management Steve Pao spoke to The Register and said that the accounts are used for support purposes but admitted that the setup is flawed. Barracuda will also pay an “unspecified bounty” for finding the flaw.

Barracuda recommends that its customers update the Security Definitions on their devices to v2.0.5 immediately. It added that “while this update drastically minimizes potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired.”

The Fedora Project Asks Users to Change Their Passwords to Preempt Hacking Attempts

(LiveHacking.Com) – There has been a large number of high profile open source sites which have suffered security breaches in recent months (including The Linux Foundation and kernel.org). The latest of these happened just a few days ago when hackers used phpMyAdmin to access the WineHQ project’s database and steal users’ appdb and bugzilla access credentials.

In a preemptive move, the Fedora Project is asking all existing users of the Fedora Account System (FAS) to change their password and upload a NEW ssh public key before 2011-11-30.

The project is also using the opportunity to enforce some new password rules to make them harder to guess:

  • Nine or more characters with lower and upper case letters, digits and punctuation marks.
  • Ten or more characters with lower and upper case letters and digits.
  • Twelve or more characters with lower case letters and digits
  • Twenty or more characters with all lower case letters.

Finally the project administrators are warning that any user who fails to update their password may have their account marked as inactive.