Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Barracuda "Back Door" - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Barracuda "Back Door"

According to Austrian security company SEC Consult, several Barracuda products include a non-documented backdoor. The accounts affected are installed by default and can not be disabled. An attacker could use either SSH, or local console access, to log in using these account.

SEC Consult was able to crack some of the passwords for these accounts using the shadow file. The accounts do also have authorized ssh keys defined, but of course, it would be pretty hard to find the associated private key.

This issue affects various Barracuda products.

Default iptables firewall rules block access to port 22 from public IP addresses. But it appears that certain local networks are free to connect to port 22.

Barracuda published an alert rating this problem as "medium" [2]

[1] https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130124-0_Barracuda_Appliances_Backdoor_wo_poc_v10.txt
[2] https://www.barracudanetworks.com/support/techalerts

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3603 Posts
ISC Handler
from link 2 above it *appears* that updating the security definitions on the Barracuda devices will fix this:
All Barracuda Networks appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are potentially affected. Customers are advised to update their Security Definitions to v2.0.5 immediately.
John

88 Posts
From the release notes for the security definitions:
Issue 2.0.5: Resolved issue discovered by Stefan Viehboeck, SEC Consulting (sec-consulting.com) that could result in unauthorized access to Barracuda appliances from the default, limited set of ip addresses shipped with the Barracuda appliances for support purposes. While this update drastically minimizes any potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired.
John

88 Posts
This was actually reported a long time ago. There are public blogs detailing how to boot to single user mode to remove Barracuda's root hash, that were posted back in 2009 (they include the hash, which is why I am not linking them here)
John
2 Posts

Sign Up for Free or Log In to start participating in the conversation!