Home page logo

dataloss logo Data Loss mailing list archives

Backdoor accounts found in networking and security appliances from Barracuda Networks
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Sun, 27 Jan 2013 17:38:36 -0500


IDG News Service - A variety of networking and security appliances
from Barracuda Networks contain backdoor accounts that could allow
attackers to log in remotely over SSH (Secure Shell) and gain
administrative, or root, access on the devices.

The backdoor accounts were discovered by security researchers from
Austria-based security firm SEC Consult. These accounts are not
documented, they cannot be removed and can be accessed over SSH, they
said in a security advisory published Thursday.

Furthermore, the appliances are configured by default to accept SSH
connections from certain ranges of public IP addresses. Some servers
located in those IP ranges are owned by Barracuda Networks, but others
are owned by third-party organizations and individuals.

An attacker who compromises any server from the whitelisted IP ranges
can gain administrative rights on Barracuda Networks appliances
connected to the Internet by using the backdoor accounts, the SEC
Consult researchers warned.

For example, one particular backdoor account called "product" can be
used to log into a Barracuda appliance, access its MySQL database
without a password and add new administrative users to the device's
configuration, the researchers said. On the Barracuda SSL VPN
appliance it was also possible to enable diagnostic or debugging
functionality which could be used to gain root access, they said.

Barracuda Networks acknowledged the problem on Wednesday and advised
customers to update the Security Definitions on their devices to
version 2.0.5 immediately.

"Our research has confirmed that an attacker with specific internal
knowledge of the Barracuda appliances may be able to remotely log into
a non-privileged account on the appliance from a small set of IP
addresses," the company said in an advisory on its website.

According to the company, all appliances with the exception of the
Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall
are potentially affected. This includes: Barracuda Spam and Virus
Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda
Web Application Firewall, Barracuda Link Balancer, Barracuda Load
Balancer, Barracuda SSL VPN.

The company noted that the security definitions update "drastically
minimizes potential attack vectors," but advised customers who want to
disable the remote support access functionality completely to contact
its technical support department.
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list


Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.

  By Date           By Thread  

Current thread:
  • Backdoor accounts found in networking and security appliances from Barracuda Networks Erica Absetz (Jan 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]