Products from Barracuda Networks contain backdoor and authentication flaws

News by Dan Raywood

Some products in the Barracuda Networks portfolio contain a backdoor that could enable outsiders to remotely access accounts and steal information.

Some products in the Barracuda Networks portfolio contain a backdoor that could enable outsiders to remotely access accounts and steal information.

‘Undocumented operating system user accounts', or backdoors, can be accessed via Secure Shell (SSH), a protocol that permits encrypted remote login and communication. The IP addresses that can access these appliances are meant to be limited to Barracuda Networks, but that's not the case, according to researchers.

Austrian researchers SEC Consult said in an advisory that several undocumented operating system user accounts exist on the appliance and these can be used to gain access to the appliance via the terminal via SSH.

It said: “The backdoor accounts can be used to gain shell access. This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog.”

Barracuda Networks confirmed that all versions of all of its appliances (with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall) were affected by this vulnerability.

Acknowledging the flaw, Barracuda Networks said that its research has confirmed that an attacker with specific internal knowledge of its appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses.

“The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit. While this update drastically minimises potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired,” it said.

SEC Consult also warned of an authentication bypass flaw in the Barracuda SSL VPN, that would allow unauthenticated setting of Java system properties. It said that unauthenticated users can set an arbitrary Java system property to an arbitrary value. “Among other attacks (for example denial-of-service), this allows an attacker to break the applications security mechanisms,” it said.

It also said that this vulnerability can be used to bypass access restrictions in order to get access to the API functionality. Barracuda Networks acknowledged this flaw and issued a software patch for affected firmware versions and below to prevent access to any potentially insecure files.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews