My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Barracuda "Back Door"

Published: 2013-01-24. Last Updated: 2013-01-25 14:07:59 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

According to Austrian security company SEC Consult, several Barracuda products include a non-documented backdoor. The accounts affected are installed by default and can not be disabled. An attacker could use either SSH, or local console access, to log in using these account.

SEC Consult was able to crack some of the passwords for these accounts using the shadow file. The accounts do also have authorized ssh keys defined, but of course, it would be pretty hard to find the associated private key.

This issue affects various Barracuda products.

Default iptables firewall rules block access to port 22 from public IP addresses. But it appears that certain local networks are free to connect to port 22.

Barracuda published an alert rating this problem as "medium" [2]

[1] https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130124-0_Barracuda_Appliances_Backdoor_wo_poc_v10.txt
[2] https://www.barracudanetworks.com/support/techalerts

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
3 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

from link 2 above it *appears* that updating the security definitions on the Barracuda devices will fix this:
All Barracuda Networks appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are potentially affected. Customers are advised to update their Security Definitions to v2.0.5 immediately.
From the release notes for the security definitions:
Issue 2.0.5: Resolved issue discovered by Stefan Viehboeck, SEC Consulting (sec-consulting.com) that could result in unauthorized access to Barracuda appliances from the default, limited set of ip addresses shipped with the Barracuda appliances for support purposes. While this update drastically minimizes any potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired.
This was actually reported a long time ago. There are public blogs detailing how to boot to single user mode to remove Barracuda's root hash, that were posted back in 2009 (they include the hash, which is why I am not linking them here)

Diary Archives