Steve Powell, vice president of product management at Barracuda, says the special "tunnel" option in the products is for back-end support with the vendor.
"When customers request access to the system, they use the Remote Support Tunnel capability. They call us up, and we can bring up their screens ... with them," Powell says. "They open a remote support capability to do that."
But Sec Consult found the backdoors and vulnerabilities in them as well as authentication bypass flaws in Barracuda's products.
Johannes Greil, a security consultant with Sec Consult, says his firm previously found a similar backdoor in Symantec's Mail Gateway, so this isn't the first time a security vendor has baked in such a feature for support purposes.
Barracuda's security update fixes the authentication bypass bug in its SSL VPN, but does not fix the "allowed IP address" range that can use the backdoor feature. "The vulnerability regarding the allowed IP address network ranges is not handled by this patch. This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks," Sec Consult's Greil says.
The update does fix the flaws in the backdoors. It also limits logins from specific users: cluster (login with public/private key); remote (login with public/private key); and root (login with password), he says, noting that the root password hash could be crackable depending on how strong the password is.
But Barracuda's Powell says the potential risk is relatively narrow. Users running their products behind network firewalls would not be affected, he says, and customers who had disabled remote support were immune. The risk of attack exploiting the vulnerabilities was "pretty limited" for those reasons, he says.
An attacker could abuse this "nondocumented backdoor" via SSH or local console access to log into the devices, notes Johannes Ullrich of SANS Internet Storm Center.
"Sec Consult was able to crack some of the passwords for these accounts using the shadow file. The accounts do also have authorized ssh keys defined, but of course, it would be pretty hard to find the associated private key," he wrote today. "Default iptables firewall rules block access to port 22 from public IP addresses. But it appears that certain local networks are free to connect to port 22."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.