Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Backdoor Accounts on Barracuda Networks Appliances Vulnerable to Attack

Several networking appliances from Barracuda Networks have backdoor accounts that could be accessed remotely by attackers, according to an Austrian security firm.

Several networking appliances from Barracuda Networks have backdoor accounts that could be accessed remotely by attackers, according to an Austrian security firm.

The SSH backdoor is hardcoded into the operating system of the following Barracuda appliances, including the flagship Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN, SEC Consult Vulnerability Lab wrote in its Jan. 24 advisory. The previously undocumented accounts are accessible remotely via SSH or on the local terminal, and if exploited, can be used to gain shell access, SEC Consult warned.

The backdoor accounts were associated with the appliance’s “backend support mechanisms,” but the company was “not aware of any actual examples of our customer support tools being used for malicious purposes,” Barracuda Networks told SecurityWeek in a statement.

Barracuda’s network firewalls—Barracuda NG Firewall and Barracuda Firewall—and Barracuda Backup were not affected, Barracuda Networks said in its own technical advisory issued Jan. 23.

“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses,” Barracuda said in the advisory.

The appliances listen for SSH connections to the backdoor accounts and will accept connections from a whitelist of specific IP address ranges. The connecting machine must have an address drawn from two large public IP address ranges (205.158.110.0/24 and 216.129.105.0/24 ranges)or from two private IP Address ranges (192.168.10.0/24 and 192.168.200/0/24 ranges), according to SEC Consult’s advisory.

“The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities—all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet,” SEC Consult said.

The researchers identified eight different backdoor accounts, and cracked passwords in a short period of time for five of them with a small wordlist. The username “product” doesn’t even require a password, and gives the user access to the MySQL database on the appliance, SEC Consult said. On the database, the user would be able to create new users with administrative privileges to access the appliance’s configuration settings.

Advertisement. Scroll to continue reading.

While SEC Consult noted a “hidden” dialog to disable the accounts, Barracuda said customers who want to fully disable the accounts can contact the support department.

Customers who had followed best practices and deployed the affected appliances behind a network firewall—Barracuda firewall or some other vendor— would not be impacted by this issue, Barracuda said in its statement.

“All Barracuda Networks appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are potentially affected. Customers are advised to update their Security Definitions to v2.0.5 immediately,” Barracuda said in its tech alert.

SEC Consult released a second advisory for a flaw in Barracuda SSL VPN where an unauthenticated user could download configuration files and database dumps from the appliance. The issue can be “used to bypass access restrictions in order to get access to the ‘API’ functionality. This enables an unauthenticated attacker to download configuration files and database dumps. Furthermore the system can be shutdown and new admin passwords can be set using this functionality without prior authentication!” SEC Consult’s Stefan Viehböck wrote in the advisory.

The same security update “Security Definition 2.0.5” fixing the other backdoor accounts issue addresses this flaw as well.

“For maximum protection, Barracuda Networks recommends that all customers ensure that their security definitions are set to On and to upgrade to the latest generally available release of the firmware and security definitions,” Barracuda said in its own second advisory

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.