Backdoors in many Barracuda appliances
Almost all appliances from Barracuda Networks were delivered with a fixed, preset user account through which, using SSH, you can remotely access the device. The hole is being warned of in an advisory from Austria's CERT.
Security researcher S. Viehboeck from SEC Consult Vulnerability Lab discovered that the /etc/shadow and /etc/password files on the appliances had user accounts with names such as product, support and websupport. These accounts were protected with weak passwords and the researcher says he produced a usable list of passwords in a short time. It is not possible to delete these accounts easily as they appear to be used for remote maintenance.
Viehboeck also found that the network filtering iptables configured on the appliance are overly lax. Normally all requests from outside would be blocked. But it appears that there is one exception: requests from 184.108.40.206/24 and 220.127.116.11/24 are allowed through to give the manufacturer access to the device if necessary.
The problem is though, that Barracuda is not the exclusive owner of these ranges and they also contain numerous other systems belonging to unrelated companies. Therefore an attacker who can manage to compromise a system using an address in the ranges could then use that system to get access, via SSH, to any Barracuda device.
According to Viehboeck, the following appliances are affected:
- Barracuda Spam and Virus Firewall
- Barracuda Web Filter
- Barracuda Message Archiver
- Barracuda Web Application Firewall
- Barracuda Link Balancer
- Barracuda Load Balancer
- Barracuda SSL VPN
Also affected are the virtual Vx versions of the listed appliances.
Barracuda has released a security update as "Security Definitions 2.0.5". The update changes the sshd configuration to only allow cluster, remote and root to log into the system, with the first two accounts using public/private keys and the latter using a password. Barracuda says that the accounts are "essential for customer support" and will not be removed. The filters on the devices are not being changed in the update and Viehboeck believes the root user might still be crackable. He suggests either placing the appliances behind a firewall that blocks incoming connections to port 22 or contacting Barracuda to get expert assistance in disabling the SSH daemon.
He also found more gaps in the Barracuda SSL VPN appliance which allowed unauthenticated access to set Java system properties and other API functions such as setting the super user password. The solution to this, too, is updating to "Security Definition 2.0.5".