A diverse range of equipment from security device manufacturer Barracuda Networks, including firewall, spam filter, load balancer and VPN appliances, contains two vulnerabilities that could allow a remote attacker to gain access through a backdoor exploit. The vulnerability was discovered by Stefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab, in November. Barracuda recently confirmed the vulnerabilities and announced that it had resolved the issues.
The vulnerabilities stem from default firewall configurations and default user accounts on the units that would allow an attacker with in-depth knowledge of the products to remotely log in to a non-privileged account. Krebs on Security explained that a default, undocumented username without a password could gain access to the device’s MySQL database.
According to SEC Consult, this access could enable an attacker to break the appliances’ security mechanisms or tap into the API functionality, depending on the attack vector. The latter exploit allows an attacker to download configuration files and database dumps, as well as set up new admin passwords or shut down the system entirely.
According to Krebs on Security, Viehböck discovered that the affected devices were configured on installation to look for SSH connections coming from the undocumented accounts, but only from Internet address ranges occupied by Barracuda Networks. However, there are potentially hundreds of other companies occupying these same ranges, meaning that the space is less secure than Barracuda may have realized.
“In secure environments it is highly undesirable to use appliances with backdoors built into them,” Viehböck wrote, according to Krebs on Security. “Even if only the manufacturer can access them.”
To avoid leaving such vulnerabilities in devices’ code, manufacturers can institute more secure coding practices. By using tools such as source code analysis, vendors can strengthen their devices by catching security flaws before they reach the market.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.