Several networking appliances from Barracuda Networks have backdoor accounts that could be accessed remotely by attackers, according to an Austrian security firm.
The SSH backdoor is hardcoded into the operating system of the following Barracuda appliances, including the flagship Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN, SEC Consult Vulnerability Lab wrote in its Jan. 24 advisory. The previously undocumented accounts are accessible remotely via SSH or on the local terminal, and if exploited, can be used to gain shell access, SEC Consult warned.
The backdoor accounts were associated with the appliance's "backend support mechanisms," but the company was "not aware of any actual examples of our customer support tools being used for malicious purposes," Barracuda Networks told SecurityWeek in a statement.
Barracuda's network firewalls—Barracuda NG Firewall and Barracuda Firewall—and Barracuda Backup were not affected, Barracuda Networks said in its own technical advisory issued Jan. 23.
"Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses," Barracuda said in the advisory.
The appliances listen for SSH connections to the backdoor accounts and will accept connections from a whitelist of specific IP address ranges. The connecting machine must have an address drawn from two large public IP address ranges (220.127.116.11/24 and 18.104.22.168/24 ranges)or from two private IP Address ranges (192.168.10.0/24 and 192.168.200/0/24 ranges), according to SEC Consult's advisory.
"The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities—all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet," SEC Consult said.
The researchers identified eight different backdoor accounts, and cracked passwords in a short period of time for five of them with a small wordlist. The username "product" doesn't even require a password, and gives the user access to the MySQL database on the appliance, SEC Consult said. On the database, the user would be able to create new users with administrative privileges to access the appliance's configuration settings.
While SEC Consult noted a "hidden" dialog to disable the accounts, Barracuda said customers who want to fully disable the accounts can contact the support department.
Customers who had followed best practices and deployed the affected appliances behind a network firewall—Barracuda firewall or some other vendor— would not be impacted by this issue, Barracuda said in its statement.
"All Barracuda Networks appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are potentially affected. Customers are advised to update their Security Definitions to v2.0.5 immediately," Barracuda said in its tech alert.
SEC Consult released a second advisory for a flaw in Barracuda SSL VPN where an unauthenticated user could download configuration files and database dumps from the appliance. The issue can be "used to bypass access restrictions in order to get access to the 'API' functionality. This enables an unauthenticated attacker to download configuration files and database dumps. Furthermore the system can be shutdown and new admin passwords can be set using this functionality without prior authentication!" SEC Consult's Stefan Viehböck wrote in the advisory.
The same security update "Security Definition 2.0.5" fixing the other backdoor accounts issue addresses this flaw as well.
"For maximum protection, Barracuda Networks recommends that all customers ensure that their security definitions are set to On and to upgrade to the latest generally available release of the firmware and security definitions," Barracuda said in its own second advisory