'Backdoor' root log-ins found in Barracuda security, networking gear

'Backdoor' root log-ins found in Barracuda security, networking gear

Summary: A 'super-user' root-access account has been found in a number of Barracuda security and networking products, which may allow hackers to easily access company networks, albeit if their attacks are launched from a specific set of IP addresses.

SHARE:
TOPICS: Security, Networking
7

An Austrian security firm has warned of undocumented "backdoor" root log-ins to a number of Barracuda Networks' products, which could leave networks and data centers vulnerable to unauthorized access, data theft, or network hijacking.

Screen Shot 2013-01-24 at 14.00.18
(Credit: Barracuda Networks)

The original warning came from Austrian firm SEC Consult Vulnerability Lab, where the security firm warned that the "undocumented" accounts exist on a number of Barracuda products and can "not be disabled."

To make matters worse, while the backdoor log-in accounts are set up so that they are only accessible from Barracuda's internal networks, they are actually accessible to dozens if not hundreds of other companies or network owners, warned security expert and blogger Brian Krebs.

Read this

10 security stories that shaped 2012

10 security stories that shaped 2012

From a major malware attack on the Mac OS X to state-sponsored cyber-espionage attacks, IT security in 2012 will be remembered as the year that piqued the imagination.

Each Barracuda device uses a firewall to block access to the SSH server and therefore the "undocumented" root log-in accounts, except from connections that come from an IP address belonging to Barracuda's internal network. The problem is, the company doesn't own all of the addresses in the IP range. Though the risk of an attack coming from one of the non-Barracuda-controlled address is limited, it's a vulnerability nonetheless.

"The backdoor accounts...can be used to gain shell access," the firm warned in a note. "This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog."

SEC Consult warned that the software affected includes Barracuda's flagship Web Filter, Message Archiver, Link Balancer, Load Balancer, and Web Application Firewall, and SSL VPN. A Barracuda spokesperson noted that Barracuda Firewall and NG Firewall products and Barracuda Backup are not impacted by this flaw.

According to The Register, Barracuda vice president for product management Steve Pao said that the accounts are used for support purposes but admitted that the setup is flawed. Barracuda will also pay an "unspecified bounty" for finding the flaw.

A Barracuda spokesperson told ZDNet that the company is "not aware of any actual examples of our customer support tools being used for malicious purposes." They added:

In collaboration with them, we took a number of measures to mitigate those vulnerabilities for our existing customers. We pushed a security definition to all running boxes in the field and published a Tech Alert yesterday in response that mitigated the major attack vectors if someone had specific knowledge of our systems and could access specific IP ranges.

SEC Consult removed the exploit code and passwords used in the advisory, but said that the firm will issue a detailed advisory "within a month including the omitted information," giving Barracuda enough time to fix the vulnerabilities.

Barracuda confirmed the flaw in a note on its Web site today. Customers are advised to "update their Security Definitions to v2.0.5 immediately." Meanwhile, SEC Consult advised companies using Barracuda technology to place the appliances behind a firewall and block any incoming traffic--from local networks and the Internet--on port 22.

Updated at 2:30 p.m. ET: Added comment from Barracuda spokesperson.

Topics: Security, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • 'Backdoor' root logins found in Barracuda security, networking gear

    What OS does it run?
    Loverock-Davidson
    • the safest os on the planet earth

      n/t
      Mr.SV
    • Does it matter?

      The vulnerability wasn't the OS.

      It was the undocumented root account.
      Letophoro
      • Yes it does matter

        If I have that OS on any of my machines I need to see if they have these root logins on them.
        Loverock-Davidson
        • How do you figure?

          Unless you own Barracuda security and/or networking gear, you do not have the account that is the attack vector.

          Or do you just assume that because one vendor has added a default account, every vendor has added the same default account? That is, if HP adds a default account to every computer, do you believe that Dell also adds the same default account?
          Letophoro
  • 'Backdoor' root logins found in Barracuda security, networking gear

    the question is, did the company knowingly included the backdoor root login for remote tech support or at the behest of the power that be? or maybe the source was hacked for nefarious reason. being a security company, the existence of this security vulnerability is unforgivable whatever the reason is ... at&t was found spying before for the sake of national security ...
    kc63092@...
  • Kudos to S. Viehböck

    Outdated iptables-

    Note:
    The timestamp and the version of iptables-save suggest that these rules might have been in place on Barracuda Networks appliances since 2003.

    https://www.secconsult.com/fxdata/seccons/prod/temedia/advisories_txt/20130124-0_Barracuda_Appliances_Backdoor_wo_poc_v10.txt


    Customers are advised to update their Security Definitions to v2.0.5
    https://www.barracudanetworks.com/support/techalerts
    daikon