Researcher says backdoors remain open in many Barracuda boxes
Given the hysteria in the US over unproven backdoors in gear from Chinese vendors like Huawei, it may come as a shock that one of its own purposefully places them in network security boxes.
Stefan Viehböck of SEC Consult Vulnerability Lab found backdoors in almost all Barracuda appliances, reporting them to the vendor back in November. He found the boxes were preconfigured to accept secure shell (SSH) connections from a set of pre-defined user accounts from a list of IP ranges, according to Viehböck.
Barracuda Networks backdoors
There were two security problems with this. First, the passwords needed to access those user accounts were not difficult to find or crack, Viehböck said. He claimed to have cracked a number of passwords relating to backdoor accounts called “product”, “support”, “ca” and “websupport”. For the “product” account, he was able to get a shell to run on the appliance and could access the MySQL database to add new users with administrative privileges to the appliance configuration.
Barracuda had created those accounts to update products or provide support. But the researcher found a further problem. He noted that the appliance network filtering on Barracuda kit was allowing access via SSH from those user accounts only if they came from whitelisted IP ranges, both public and private.
That would be acceptable if it was only Barracuda sitting on the public IP range. But here’s where things get sticky: “Public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities – all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet.” That means anyone in the public IP range could have been spying on users of Barracuda gear, which includes major corporations and government entities.
Affected products include Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer and Barracuda SSL VPN.
“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses,” Barracuda noted in its advisory, saying the threat was only of “medium” severity.
“The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit.”
Although Barracuda issued a patch, which saw backdoor accounts updated to include logins protected with public key infrastructure, Viehböck claimed the account “root” could still have its password hacked, as it hadn’t been given the additional protection.
“This still leaves considerable risks to appliances as the password for the ‘root’ user might be crackable and the relevant private keys for the ‘remote’ user might be stolen from Barracuda Networks,” Viehböck added.
“In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them.”
Viehböck found another flaw, which he said could allow an attacker to disable security on Barracuda’s SSL VPN product. “By setting of Java System Properties an unauthenticated attacker can disable various security mechanisms and thus gain access to an internal API. Among other functions, an attacker can set passwords for admin accounts,” he wrote.
Barracuda, which recently saw its founder and CEO Dean Drako depart, has issued a fix for that problem too.
UPDATE: Barracuda Networks’ vice president for product management Steve Pao sent across the following startement: “The specific discovery was related to access from the default, limited set of IP addresses used by the system to initiate remote support tunnels to Barracuda Technical Support. We have released a security definition to existing Barracuda Networks appliances that minimizes potential attack vectors. Individual customers should contact Barracuda Networks Technical
“Support if they need more information. As we do with all issues reported through our ‘Bug Bounty’ program, we have acknowledged the SEC Consulting’s reporting of the issues in both the release notes with our security definition and on the Tech Alerts section of our website.”
Respect privacy? Try our privacy quiz!