A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.
Barracuda’s hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN. Stefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab., discovered in November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).
Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.
Viehböck said he soon found that these devices all were configured out-of-the-box to listen for incoming SSH connections on those undocumented accounts, but that the devices were set to accept connection attempts only from Internet address ranges occupied by Barracuda Networks. Unfortunately, Barracuda is not the only occupant of these ranges. Indeed, a cursory lookup of the address ranges at network mapping site Robtex.com shows there are potentially hundreds of other companies running Web sites and other online operations in the same space.
Barracuda Networks has not yet responded to requests for comment. However, this morning the company released a series of advisories acknowledging these and other vulnerabilities, flagging the backdoor flaws as “medium” threats. The company’s fix includes restricting remote SSH configuration to two accounts — and requiring those accounts to use a public/private encryption key pair. But according to SEC Consult, Barracuda’s fix still allows remote SSH logins via the “root” account without requiring an encryption key exchange, and the fix does nothing to further restrict the range of Internet addresses that can be used to access the backdoor accounts. SEC Consult said Barracuda replied that the remaining accounts were vital for customer support.
“In secure environments it is highly undesirable to use appliances with backdoors built into them,” Viehböck wrote in SEC Consult’s advisory. “Even if only the manufacturer can access them.”
Barracuda also released updates to fix a serious vulnerability in the company’s SSL VPN product that SEC Consult found could let an unauthenticated attacker to download configuration files and database dumps, and allow the system to be shutdown and new administrative passwords set without prior authentication.
It’s not clear for how long the backdoor accounts have existed in Barracuda’s products, but the researchers found evidence that they have been in place since at least 2003. Also, this thread on the security mailing list Full Disclosure includes some interesting discussion about how these backdoor accounts may have been used.