Backdoor Vulnerabilities Open Barracuda Appliances To Attack


Barracuda Networks is attempting to close a support mechanism built into the default configurations of nearly all of its products following a warning from a security firm about weaknesses that can be used by an attacker to remotely access the appliances.

The backdoors were coded into the software configuration of Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN and its CudaTel phone provisioning appliance. The company issued an alert this week warning that an attacker can gain access to the appliances and has issued Security Definition 2.0.5, which protects the backdoor administrative accounts with passwords.

[Related: 9 Unified Threat Management Security Appliances To Watch In 2013
]

"Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses," Barracuda said. "The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit."

SEC Consult Vulnerability Lab, based in Vienna, Austria, issued a critical security advisory about the backdoors. The security firm discovered several undocumented user accounts on the appliances that can be used to remotely access them and gain shell access. Once access is gained an attacker can add new users with administrative privileges, change the appliance's configuration and could essentially disable it.

"In secure environments it is highly undesirable to use appliances with backdoors built into them, even if only the manufacturer can access them," wrote Stefan Viehbock, a security researcher at SEC Consult Vulnerability Lab, in the firm's advisory.

Campbell, Calif.-based Barracuda attempted to protect the appliances by whitelisting the IP ranges to servers run by the appliance maker but, according to SEC Consult, "the public ranges include servers from other, unaffiliated entities -- all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet."

Barracuda said the backdoors are an essential support mechanism and the security update "drastically minimizes potential attack vectors." The company said the backdoors do not impact its Backup Server, Barracuda Firewall and Barracuda NG Firewall appliances.

PUBLISHED JAN. 25, 2013