Barracuda Networks has released a firmware update for its Barracuda Web Filter solution to address a couple of SSL inspection flaws reported by Will Dormann, vulnerability analyst at the Carnegie Mellon University CERT Coordination Center.
In a blog post published in mid-March, Dormann revealed several common mistakes made by the developers of software that performs SSL inspection. One of the possibly affected products mentioned by the expert at the time was Barracuda Web Filter, a solution designed for content filtering, application blocking, and malware protection. The SSL inspection feature in this product enables administrators to decrypt and inspect traffic at the URL level in order to have granular control over the use of Web apps.
After Dormann published his blog post, Barracuda Networks got in touch with CERT/CC to determine which of the issues highlighted by the analyst affect its product.
One of the identified vulnerabilities is related to the incomplete validation of upstream certificate validity when SSL inspection is performed (CVE-2015-0961). The second security weakness is caused by the use of three default root CA certificates that are common across appliances (CVE-2015-0962).
“The impact of either CVE-2015-0961 or CVE-2015-0962 may allow an attacker to successfully achieve a man-in-the-middle (MITM) attack without the client knowing it,” CERT/CC said in an advisory.
The vulnerabilities affect Barracuda Web Filter running versions of the firmware 7.0 through 8.1.0.003. Barracuda Networks addressed the flaws with the release of version 8.1.0.005 of the firmware. The company said in a blog post that it has notified Barracuda Web Filter users regarding the existence of the vulnerabilities uncovered during the audit.
Barracuda Web Filter customers who use or have used in the past the SSL inspection feature are advised to update the firmware as soon as possible. Those using the feature might have to deploy new certificates to clients. An online tool that allows organizations to check if their web clients are impacted has been released.
SSL/TLS-related security issues have been in the spotlight recently due to incidents such as FREAK and other vulnerabilities, and the Superfish and PrivDog controversy. A researcher reported over the weekend that even some antivirus products weaken HTTPS security.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
