January 24, 2013

A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.

barracudaBarracuda’s hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPNStefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab., discovered in November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).

Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.

Viehböck said he soon found that these devices all were configured out-of-the-box to listen for incoming SSH connections on those undocumented accounts, but that the devices were set to accept connection attempts only from Internet address ranges occupied by Barracuda Networks. Unfortunately, Barracuda is not the only occupant of these ranges. Indeed, a cursory lookup of the address ranges at network mapping site Robtex.com shows there are potentially hundreds of other companies running Web sites and other online operations in the same space.

Barracuda Networks has not yet responded to requests for comment. However, this morning the company released a series of advisories acknowledging these and other vulnerabilities, flagging the backdoor flaws as “medium” threats. The company’s fix includes restricting remote SSH configuration to two accounts — and requiring those accounts to use a public/private encryption key pair. But according to SEC Consult, Barracuda’s fix still allows remote SSH logins via the “root” account without requiring an encryption key exchange, and the fix does nothing to further restrict the range of Internet addresses that can be used to access the backdoor accounts. SEC Consult said Barracuda replied that the remaining accounts were vital for customer support.

“In secure environments it is highly undesirable to use appliances with backdoors built into them,” Viehböck wrote in SEC Consult’s advisory. “Even if only the manufacturer can access them.”

Barracuda also released updates to fix a serious vulnerability in the company’s SSL VPN product that SEC Consult found could let an unauthenticated attacker to download configuration files and database dumps, and allow the system to be shutdown and new administrative passwords set without prior authentication.

It’s not clear for how long the backdoor accounts have existed in Barracuda’s products, but the researchers found evidence that they have been in place since at least 2003. Also, this thread on the security mailing list Full Disclosure  includes some interesting discussion about how these backdoor accounts may have been used.


32 thoughts on “Backdoors Found in Barracuda Networks Gear

  1. Sam Bowne

    Great article!

    Grammar corrections:

    2nd paragraph, last sentence, remove “an”
    3rd paragraph, last sentence, “password file” should be preceded by “a”
    2nd-to-last paragraph: “and allow the shutdown” should be “shut the system down,”

  2. wiredog

    OK. Having done tech support for people who were not highly skilled I can see the need for allowing remote admin logins on this type of equipment. Far cheaper than putting the tech on an airplane. But. It should be restricted to a particular distinctively marked port which is not connected to the outside world until the user is told to do so by the support tech. That’s how we did it, anyway, when I worked in industrial automation.

    1. Rod MacPherson

      Funny thing is when you call Barracuda for support they ask you to log into the web interface and click a button that makes an out-going SSH tunnel connection back to them. There is no need for SSH to be open as a service at all. On the Barracuda spam box I manage it is firewalled off from the internet anyway. This has not caused a problem at all.

      1. Rod MacPherson

        Reading over the details of the “fix” why is root active (you don’t have to su or sudo to it) and why oh why does it have SSH login privileges? Those are 2 fairly standard Linux defaults they’ve un-done for what reason?

      2. Leslie Jones

        Only thing is Rob, Barracuda thought about firewalls – hence redirection of port 25 to SSHD for certain IP’s. You firewalled off port 25? Oh hang on, you can’t do that or it will stop working…….. oh dear.

        Used to be in this range: 65.184.0.0/255.248.0.0

        I think they’ve changed this – but if you ever reset the firmware back to the factory you may well get a shock as to what it will let in.

    2. William

      Wiredog! Remote troubleshooting is very valuable…compromising security is not. If the customer would like to create an account and make it available to a remote tech resource, let them do it themselves. There is no excuse for a vendor taking liberty with their customer’s infrastructure without their knowledge and consent.

      -William

      1. Narg

        William; get a life. Wiredog’s solution is NOT a security risk and he agrees that Barracuda’s attempt was poorly done. Anyone can see that.

    3. Tim

      Yes, a customer of a Barracuda appliance is a “highly unskilled” one and they are lucky Barracuda is taking care of them.

      It’s a security appliance, for pete’s sake! For corporations. With IT security staff. A backdoor in a security appliance is absolutely and unconditionally not acceptable.

  3. Paul C

    Actually, the barracuda devices (at least the anti-spam, probably the others as well) have a “open a support tunnel to support” feature that opens a reverse ssh connection to barracuda, and that’s what they tell you to use if you need advanced support. I’m not sure why they need additional ssh access on top of that. Generally, if the appliance is so hosed that you can’t do that, you’re probably going to try to revert to the factory install anyway. If that doesn’t work, you’re swapping out the appliance.

  4. Leslie Jones

    The older models used to redirect port 25 (which is always open because of the nature of the device) to SSH if the same range was used. Really nasty.

    Basic problem is B/N have no idea. They have cobbled their stuff together from knocked off open source projects held together by dodgy Perl glue scripts. Rumour has it that a number of UK organizations won’t allow them because they are considered insecure, and they were the primary reasons for a massive data breach from the NHS.

  5. JCitizen

    I’m assuming this reverse SSH lookup will prevent IP spoofing? I can see why Barracuda does this; but seriously; they need to lock this down better.

    How about just simply locking out remote administration, unless the client asks for it, and configures it from inside his LAN? At least in that scenario, I might be comfortable in leaving the rest of the firmware configuration alone.

    I really don’t trust ANYONE enough to allow 24/7 access to my gateway appliance for ANY reason!

    1. jes j

      @JCitizen, the problem is not a “reverse SSH”, it’s “out-of-the-box to listen for incoming SSH connections”.
      That’s a port which is listening (waiting for…) connections on your Barracuda.

      It should not exists.

  6. Tom

    Pleasantly surprised that my Loadbalancer had patched itself – the security definition update was updated to the relevant version mitigating this attack.

  7. Just Sayin'

    See http://www.rhyolite.com/anti-spam/objections/mperone.shtml

    Barracuda and its poorly configured amavisd-new was a major source of backscatter at some point.

    Their tech support’s inane response to the problem did not make things better.

    And as Mr Schryver points out, they are or were playing both sides of the fence.

    I wouldn’t trust Barracuda Networks with my money. I am not surprised to learn of this backdoor.

  8. EJ

    All you need to read is “username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password”.

    Let the hammer fall where it may.

    1. Narg

      I agree Micah, grammar natzi’s suck. This is an informal forum, and as long as the message gets through, then you have accomplished your goal 100%. Correct grammar is only useful in formal settings.

  9. Leslie Jones

    My bad – the actual rule(s) they used to use to divert port 25 to sshd & http were:

    -A PREROUTING -s 205.158.110.61 -p tcp -m tcp –dport 25 -j REDIRECT –to-ports 22
    -A PREROUTING -s 205.158.107.65 -p tcp -m tcp –dport 25 -j REDIRECT –to-ports 8000

    These have since been replaced with undisclosed back doors – this is not for support – it’s more related to billing and cloning.

    Seriously – if you have business sensitive email running through your network, you really *don’t* want it running through a Barracuda. There is a reason they are cheap (and nasty).

  10. Murray

    If this were a Chinese company the US government would be taking high-priority cyber-defensive action. After all, it could be used for spying!

    1. Narg

      Who said they are not doing exactly that? Just because you don’t know it’s happening doesn’t mean it’s not.

  11. Jake

    So I wonder if Congress is going to do a huge report on them?

    1. SeymourB

      I don’t see why they wouldn’t, its not like they need to practice what they preach.

      Reports for some, miniature American flags for others!

  12. Simon

    Barracuda also had some sort of blacklist protection style scam going. Really you don’t want to do business with people like that.

  13. ioo

    “variety of the latest firewall, spam filter and VPN appliances”? yeah, sure. Read original report instead of reposting wrong information. Firewalling product (NG Firewall) was actually not affected as it’s one of a few designed to be put into insecure network (unlike spam filter, which every thinking admin would put behind a firewall).
    Keep your head up or Internet will start calling you craponsecurity!

    1. Leslie Jones

      A stooge of Drako’s by any chance?

      The ‘Spam & Virus Firewall’ contains the word ‘Firewall’. It does not contain the phrase ‘Needs to be put behind a firewall’. Perhaps ‘Firewall’ means something else to Barracuda?

      These are crud products – total network bottlenecks – with some of the worst code, worst security and slowest performance I’ve ever had the misfortune to use. Seriously, steer clear of this junk – it has that ‘made in a hobbiests bedroom’ quality about it, and Micheal Perone is a former spammer.

      1. ioo

        oh c’mon. Naming it a “firewall” doesn’t make it a firewall, right? Unless you’re in marketing… but then… gosh, maybe you also think Ironport has ports made of iron? ;->

        1. Leslie Jones

          It’s ironic – that’s for sure. Much like a spammer like Mike ‘how much can I pay you to work with me on this’ Perone frontin’ up an anti-spam racket.

          Emailreg.org pay to spam service, anyone???

Comments are closed.