Secret backdoors found in firewall, VPN gear from Barracuda Networks
A variety of firewall, spam filtering, and VPN hardware products sold by Barracuda Networks were hit with a security exploit this week which allowed user accounts to become compromised.
Those products contained undocumented backdoor accounts that allows for easy remote access to "multiple Barracuda Networks products".
The SSH backdoor is hardcoded into the associated products, and the discovered exploit can be implemented to gain shell access to vulnerable Barracuda equipment, according to an advisory published Thursday by SEC Consult Vulnerability Lab.
The advisory states that
"This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog,"The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username "product" with a "very weak" password to log in and gain access to the device's MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda.
"The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities - all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet," the advisory explained.
Barracuda also released their own medium-level security advisory on Wednesday. The company said that
research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log in to a non-privileged account on the appliance from a small set of IP addresses.
The company says the issue can be resolved by moving away from 'default firewall configuration and default user accounts on the unit.'
A timestamp and version relevant for the code that enables the backdoor bears a date from 2003, suggesting it may have existed in the Barracuda appliances for a decade. Advisories from SEC Consult and Barracuda also reference a serious authentication bypass bug. In an age of sophisticated advanced persistent threats, administrations who oversee any of this gear should update as soon as possible.