Barracuda Firewall Rigged With Hard-Coded Backdoor
A number of hardware security appliances made by Barracuda Networks ship with an undocumented backdoor in their firmware, according to a report by SEC Consult Vulnerability Lab.
This backdoor allows an attacker to gain access to the appliances by simply tapping into them via SSH and logging in with a pre-defined username and password. The backdoor is built into a variety of products, such as Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN – most of which are widely deployed in business and enterprise environments.
“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses,” wrote the Barracuda tech team in an advisory posted yesterday.
According to the report, connections are only allowed from a list of trusted public IP ranges (220.127.116.11/24 and 18.104.22.168/24) which are apparently assigned to Barracuda Networks and Layer42.Net, respectively. Since remote connections were available from within the Barracuda network, it would be fair to assume this feature is actually used for support, rather than for prying into people’s businesses.
However, undocumented features are a serious business nowadays – so serious that even software vendors (with minor exceptions) have been prompted to remove “Easter eggs” from their applications. It’s easy to understand why pseudo-authorized access to critical networking gear is a disturbing perspective for any respectable system administrator.
Barracuda has issued an emergency fix, available from the vendor’s website for immediate download.