Virtual private network

Backdoors Found in Barracuda Networks Gear

February 9th, 2013

A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. basedBarracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.

Barracuda’s hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN. Stefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab.,discovered in November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).

Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.

Viehböck said he soon found that these devices all were configured out-of-the-box to listen for incoming SSH connections on those undocumented accounts, but that the devices were set to accept connection attempts only from Internet address ranges occupied by Barracuda Networks. Unfortunately, Barracuda is not the only occupant of these ranges. Indeed, acursory lookup of the address ranges at network mapping site Robtex.com shows there are potentially hundreds of other companies running Web sites and other online operations in the same space.

Barracuda Networks has not yet responded to requests for comment. However, this morning the company released a series of advisories acknowledging these and other vulnerabilities, flagging the backdoor flaws as “medium” threats. The company’s fix includes restricting remote SSH configuration to two accounts — and requiring those accounts to use a public/private encryption key pair. But according to SEC Consult, Barracuda’s fix still allows remote SSH logins via the “root” account without requiring an encryption key exchange, and the fix does nothing to further restrict the range of Internet addresses that can be used to access the backdoor accounts. SEC Consult said Barracuda replied that the remaining accounts were vital for customer support.

“In secure environments it is highly undesirable to use appliances with backdoors built into them,” Viehböck wrote in SEC Consult’s advisory. ”Even if only the manufacturer can access them.”

Barracuda also released updates to fix a serious vulnerability in the company’s SSL VPN product that SEC Consult found could let an unauthenticated attacker to download configuration files and database dumps, and allow the system to be shutdown and new administrative passwords set without prior authentication.

It’s not clear for how long the backdoor accounts have existed in Barracuda’s products, but the researchers found evidence that they have been in place since at least 2003. Also, this threadon the security mailing list Full Disclosure  includes some interesting discussion about how these backdoor accounts may have been used.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta