04:34 PM
Connect Directly
Repost This

Bugs Found In Baked-In Barracuda Backdoors

Barracuda releases update, special support 'tunnels' for customers contained flaws that could open the door to attackers

An Austrian researcher discovered flaws in deliberate backdoors built into Barracuda Networks' Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN products. The security vendor today patched the bugs, but left the option up to its customers whether to disable the conduit to their devices.

Steve Powell, vice president of product management at Barracuda, says the special "tunnel" option in the products is for back-end support with the vendor.

"When customers request access to the system, they use the Remote Support Tunnel capability. They call us up, and we can bring up their screens ... with them," Powell says. "They open a remote support capability to do that."

But Sec Consult found the backdoors and vulnerabilities in them as well as authentication bypass flaws in Barracuda's products.

Johannes Greil, a security consultant with Sec Consult, says his firm previously found a similar backdoor in Symantec's Mail Gateway, so this isn't the first time a security vendor has baked in such a feature for support purposes.

Barracuda's security update fixes the authentication bypass bug in its SSL VPN, but does not fix the "allowed IP address" range that can use the backdoor feature. "The vulnerability regarding the allowed IP address network ranges is not handled by this patch. This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks," Sec Consult's Greil says.

The update does fix the flaws in the backdoors. It also limits logins from specific users: cluster (login with public/private key); remote (login with public/private key); and root (login with password), he says, noting that the root password hash could be crackable depending on how strong the password is.

But Barracuda's Powell says the potential risk is relatively narrow. Users running their products behind network firewalls would not be affected, he says, and customers who had disabled remote support were immune. The risk of attack exploiting the vulnerabilities was "pretty limited" for those reasons, he says.

An attacker could abuse this "nondocumented backdoor" via SSH or local console access to log into the devices, notes Johannes Ullrich of SANS Internet Storm Center.

"Sec Consult was able to crack some of the passwords for these accounts using the shadow file. The accounts do also have authorized ssh keys defined, but of course, it would be pretty hard to find the associated private key," he wrote today. "Default iptables firewall rules block access to port 22 from public IP addresses. But it appears that certain local networks are free to connect to port 22."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/4/2013 | 3:56:16 AM
re: Bugs Found In Baked-In Barracuda Backdoors
"Steve Powell, vice president of product management at Barracuda, says
the special "tunnel" option in the products is for back-end support with
the vendor."-Š

Nice...-Š Ran into this problem with Barracuda for one of my clients.-Š Their "back-end support" was being outsourced outside the country.-Š Not sure about everyone else, but opening the door for back-end support should not be cost efficient for Barracuda at the customer's expense.-Š When I questioned corporate, I got the run-around for 3 weeks, then my client was promised in house training, which they never received.-Š Barracuda... selling fallacy.-Š
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web