Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device.
The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances.
“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-priveleged account on the appliance from a small set of IP addresses. The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit,” Barracuda explained via a tech alert published on Wednesday.
They advise customers using any of the aforementioned devices to update their security definitions to v2.0.5 immediately.
Still, according to Stefan Viehbock, the SEC Consult Vulnerability Lab researcher that discovered the vulnerabilities back in December 2012, the patch hasn’t handled the one that allows both servers run by Barracuda Networks and those from other, unaffiliated entities to access SSH on all affected Barracuda Networks appliances exposed to the Internet.
If any of these servers get compromised, an attack against all affected Barracuda Networks appliances on the web is possible, so he offered a workaround for the problem in the security advisory he released about this issue.
Updating security definitions to v2.0.5 resolves also the authentication bypass vulnerability that affects the most recent version of Barracuda SSL VPN (v220.127.116.11), and which can be misused to gain unauthenticated access to the device and disable access restrictions for the “API” functionality, consequently allowing the attacker to do serious damage by downloading databases, configuration files, changing admin passwords and more.