An Austrian security firm has warned of undocumented "backdoor" root log-ins to a number of Barracuda Networks' products, which could leave networks and data centers vulnerable to unauthorized access, data theft, or network hijacking.
The original warning came from Austrian firm SEC Consult Vulnerability Lab, where the security firm warned that the "undocumented" accounts exist on a number of Barracuda products and can "not be disabled."
To make matters worse, while the backdoor log-in accounts are set up so that they are only accessible from Barracuda's internal networks, they are actually accessible to dozens if not hundreds of other companies or network owners, warned security expert and blogger Brian Krebs.
Each Barracuda device uses a firewall to block access to the SSH server and therefore the "undocumented" root log-in accounts, except from connections that come from an IP address belonging to Barracuda's internal network. The problem is, the company doesn't own all of the addresses in the IP range. Though the risk of an attack coming from one of the non-Barracuda-controlled address is limited, it's a vulnerability nonetheless.
"The backdoor accounts...can be used to gain shell access," the firm warned in a note. "This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog."
SEC Consult warned that the software affected includes Barracuda's flagship Web Filter, Message Archiver, Link Balancer, Load Balancer, and Web Application Firewall, and SSL VPN. A Barracuda spokesperson noted that Barracuda Firewall and NG Firewall products and Barracuda Backup are not impacted by this flaw.
According to The Register, Barracuda vice president for product management Steve Pao said that the accounts are used for support purposes but admitted that the setup is flawed. Barracuda will also pay an "unspecified bounty" for finding the flaw.
A Barracuda spokesperson told ZDNet that the company is "not aware of any actual examples of our customer support tools being used for malicious purposes." They added:
In collaboration with them, we took a number of measures to mitigate those vulnerabilities for our existing customers. We pushed a security definition to all running boxes in the field and published a Tech Alert yesterday in response that mitigated the major attack vectors if someone had specific knowledge of our systems and could access specific IP ranges.
SEC Consult removed the exploit code and passwords used in the advisory, but said that the firm will issue a detailed advisory "within a month including the omitted information," giving Barracuda enough time to fix the vulnerabilities.
Barracuda confirmed the flaw in a note on its Web site today. Customers are advised to "update their Security Definitions to v2.0.5 immediately." Meanwhile, SEC Consult advised companies using Barracuda technology to place the appliances behind a firewall and block any incoming traffic--from local networks and the Internet--on port 22.
Updated at 2:30 p.m. ET: Added comment from Barracuda spokesperson.