04:34 PM
Connect Directly

Bugs Found In Baked-In Barracuda Backdoors

Barracuda releases update, special support 'tunnels' for customers contained flaws that could open the door to attackers

An Austrian researcher discovered flaws in deliberate backdoors built into Barracuda Networks' Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN products. The security vendor today patched the bugs, but left the option up to its customers whether to disable the conduit to their devices.

Steve Powell, vice president of product management at Barracuda, says the special "tunnel" option in the products is for back-end support with the vendor.

"When customers request access to the system, they use the Remote Support Tunnel capability. They call us up, and we can bring up their screens ... with them," Powell says. "They open a remote support capability to do that."

But Sec Consult found the backdoors and vulnerabilities in them as well as authentication bypass flaws in Barracuda's products.

Johannes Greil, a security consultant with Sec Consult, says his firm previously found a similar backdoor in Symantec's Mail Gateway, so this isn't the first time a security vendor has baked in such a feature for support purposes.

Barracuda's security update fixes the authentication bypass bug in its SSL VPN, but does not fix the "allowed IP address" range that can use the backdoor feature. "The vulnerability regarding the allowed IP address network ranges is not handled by this patch. This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks," Sec Consult's Greil says.

The update does fix the flaws in the backdoors. It also limits logins from specific users: cluster (login with public/private key); remote (login with public/private key); and root (login with password), he says, noting that the root password hash could be crackable depending on how strong the password is.

But Barracuda's Powell says the potential risk is relatively narrow. Users running their products behind network firewalls would not be affected, he says, and customers who had disabled remote support were immune. The risk of attack exploiting the vulnerabilities was "pretty limited" for those reasons, he says.

An attacker could abuse this "nondocumented backdoor" via SSH or local console access to log into the devices, notes Johannes Ullrich of SANS Internet Storm Center.

"Sec Consult was able to crack some of the passwords for these accounts using the shadow file. The accounts do also have authorized ssh keys defined, but of course, it would be pretty hard to find the associated private key," he wrote today. "Default iptables firewall rules block access to port 22 from public IP addresses. But it appears that certain local networks are free to connect to port 22."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/4/2013 | 3:56:16 AM
re: Bugs Found In Baked-In Barracuda Backdoors
"Steve Powell, vice president of product management at Barracuda, says
the special "tunnel" option in the products is for back-end support with
the vendor."-

Nice...- Ran into this problem with Barracuda for one of my clients.- Their "back-end support" was being outsourced outside the country.- Not sure about everyone else, but opening the door for back-end support should not be cost efficient for Barracuda at the customer's expense.- When I questioned corporate, I got the run-around for 3 weeks, then my client was promised in house training, which they never received.- Barracuda... selling fallacy.-
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.