Security → Barracuda Networks back door found

Seen at Krebs on Security

------- Forwarded message follows -------
To: dev-null@krebsonsecurity.com
Subject: [Krebs on Security] Once Hourly Digest Email
Date: Thu, 24 Jan 2013 15:08:43 +0000

Krebs on Security has posted a new item.

Backdoors Found in Barracuda Networks Gear (Author: BrianKrebs)
»krebsonsecurity.com/2013 ··· ks-gear/

A broad variety of the latest firewall, spam filter and VPN appliances sold by
Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor
accounts, the company disclosed today. Worse still, while the backdoor
accounts are apparently set up so that they would only be accessible from
Internet addresses assigned to Barracuda, they are in fact accessible to
potentially hundreds of other companies and network owners.

Please use the link above to continue reading this posting.

You received this e-mail because you asked to be notified when new updates are
posted.

Best regards,

»krebsonsecurity.com

P.S. You may manage your subscription here:
»krebsonsecurity.com/#subscribe2

------- End of forwarded message -------

Introduced as far back as 2003 apparently. Not nice

Cudni

And what a shame. Barracuda used to be such a good product, as I recall, back in the day.

Wow Lot of govt entities incluiding health care use their products. This is what happens when doom programmers graduate to real life projects.

More info here. It appears you might be able to disable this access.

Secret backdoors found in firewall, VPN gear from Barracuda Networks - Spiceworks
»community.spiceworks.com ··· networks

"This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog," the advisory states. The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username "product" with no password to login and gain access to the device's MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda.

"The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities-all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet," the advisory explained.

And yet more info, including a possible fix of part of the vulnerability:

Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates - Slashdot
»hardware.slashdot.org/st ··· 1618243/

"Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances."

More here:

»www.barracudanetworks.co ··· lerts#41

Also cited:
»www.h-online.com/securit ··· 947.html
Products affected:
Barracuda has released a security update as "Security Definitions 2.0.5".

How nice of them to be so forthcoming. 'Bob' has had 10 years to have a little peek at stuff.

Not following ? Meaning this stuff should have been patched eons ago ?

It appears that this was built-in deliberately. And, from the scope of the access, one might surmise that a triple letter agency just may have a VPN into addresses assigned to Barracuda. It would be quite convenient, wouldn't it?

I don't think that is a stretch in these days and times.

While I don't use the software if this was a weakness meant to be exploited, I would be looking at optional software than Barracuda.

Precisely. But, there was no choice, and no disclosure on this from the company until the sec researcher's discovered this recently. Now, the company issues a 'patch'.

This stinks badly. In my mind, any trust is now long gone.

Also from Ars The undocumented accounts may have been around for a decade
This is going out on Twitter, now !

That's what I've said earlier. There was a ten year open door on this backdoor according to previous articles. Been there since 2003.

I would walk from software that had open backdoors for three week, nevermind years. The Ars article has been on Twitter since the article was published.

As would I. But, the hole was only discovered back in November, 2012 as one of the articles states.

Hmm. I know of a certain other company that could be said to have at least one "undocumented backdoor" as well.

A few more links to throw at this one & we're done.

Barracuda’s maintenance backdoors open to more than support
• »www.cso.com.au/article/4 ··· support/
Barracuda Networks users advised to update to version 2.0.5 after backdoor disclosure
• »www.infosecurity-magazin ··· closure/
Backdoor root login found in Barracuda gear - and Barracuda is OK with this
• »www.theregister.co.uk/20 ··· ackdoor/
Backdoors Mitigated in a number of Barracuda Network Products
• »threatpost.com/en_us/blo ··· s-012413
• »hardware.slashdot.org/st ··· 1618243/

I'm a little confused here, I am under the impression that in the US, most, if not all equipment requires backdoors for various gov't agencies.

And where this impression comes from?