WALK RIGHT IN, SIT ON DOWN —

Secret backdoors found in firewall, VPN gear from Barracuda Networks

The undocumented accounts may have been around for a decade.

Dan Goodin - Jan 24, 2013 4:08 pm UTC

A variety of firewall, VPN, and spam filtering gear sold by Barracuda Networks contains undocumented backdoor accounts that allow people to remotely log in and access sensitive information, researchers with an Austrian security firm have warned.

The SSH, or secure shell, backdoor is hardcoded into "multiple Barracuda Networks products" and can be used to gain shell access to vulnerable appliances, according to an advisory published Thursday by SEC Consult Vulnerability Lab.

"This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog," the advisory states. The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username "product" with no Update: a "very weak" password to log in and gain access to the device's MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda.

"The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities—all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet," the advisory explained.

Barracuda issued several of its own security advisories on Wednesday here. "Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log in to a non-privileged account on the appliance from a small set of IP addresses," one advisory with a risk rating of "medium" stated. "The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit."

A timestamp and version relevant for the code that enables the backdoor bears a date from 2003, suggesting it may have existed in the Barracuda appliances for a decade. Advisories from SEC Consult and Barracuda also reference a serious authentication bypass bug. In an age of sophisticated advanced persistent threats, administrations who oversee any of this gear should update as soon as possible.

Story updated to correct sentence about password required to log in to the "product" account. Once logged in, no password is required to access the MySQL database. Thanks to SEC Consult's Johannes Greil for the correction.

Promoted Comments

mikemosh511Wise, Aged Ars Veteranet Subscriptor
jump to post

0xD3F3ND3R wrote:
As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

I'm shocked, Shocked!...

The firewalls we put in come with remote admin and remote support turned off by default, and you can turn it on if you wish.

Think of it as opting-in vs opting-out. When it comes to letting anyone else into my firewall, I much prefer the opt-in method.

103 posts | registered Mar 10, 2010
alpha_dkSmack-Fu Master, in traininget Subscriptor
jump to post

markstewart wrote:
I noted they aren't identifying the block owners. I assume they are state actors and this was all very purposeful. If I had any of their gear I'd be demanding all the blocks and then null routing them (before it even hit the firewall)...

The blocks are:
205.158.110.0/24
216.129.105.0/24
(from one of the linked articles)

article wrote:
These ranges include some servers run by Barracuda Networks eg.
spam04.barracuda.com (216.129.105.22)
forum.barracudanetworks.com (216.129.105.38)
barracudacentral.org (216.129.105.40)
repsrv.barracuda.com (216.129.105.42)
mirror01.barracudacentral.com (216.129.105.94)
...

but also servers from other entities:
mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ...
frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.
utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.
everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.
mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc
outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting
...

More information about the hosts in these /24 networks can be found at:
http://cnet.robtex.com/205.158.110.html
http://cnet.robtex.com/216.129.105.html

14 posts | registered Mar 8, 2010
igor.levickiArs Praetorian
jump to post

0xD3F3ND3R wrote:
The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

You obviously have no clue about the subject.

My company is a vendor for banking institutions, and I know that some of them use Barracuda hardware for VPN access. Someone is most likely sweating and working overtime now because of this scandal.

When you purchase a security product (which is not cheap by the way), it should go without saying that full control should be in your hands, and that all inbound access and all remote admininstration features are disabled by default, not to mention how remote administration should not work at all even if enabled without a proper password being set. Hell, even $60 TP-Link home routers do not allow remote administration by default.

@Dilbert:

Not everyone can afford Cisco equipment, not to mention that it requires a lot of serious training to learn how to use it properly while in many companies IT is understaffed and sometimes done by people from other departments (such as software engineering) if there is no dedicated IT personnel. Moreover, Cisco IOS has its own bugs and vulnerabilities, and without active support subscription (which adds to your expenses) you cannot have access to firmware updates.

Finally, Cisco is usually overkill if what you need is only multiple LAN-to-LAN VPN, not to mention that their latest and fully supported hardware accelerated routers offering such features (19xx, 29xx and 39xx series) cost an arm and leg ($3500+).

Lets not forget that the choice of hardware and software is not the main issue here -- much bigger and more serious issue is how nobody using Barracuda products didn't catch that open port during security audit.
Last edited by igor.levicki on Thu Jan 24, 2013 11:52 am

521 posts | registered Jan 20, 2012

Promoted Comments

mikemosh511Wise, Aged Ars Veteranet Subscriptor
jump to post

0xD3F3ND3R wrote:
As someone who has found numerous instances of these kinds of backdoors and just not bothered publishing them because they are obvious to anyone with basic skills and access to the device or software, I have to ask, WTF did you expect?

Does anyone seriously believe that programmers and vendors, let alone key suppliers to strategic institutions around the world, would supply software or hardware that they did not have a way to gain administrative access to for "support" purposes?

Does anyone really believe that if they outsource your development, the developers will not leave a "test harness" with a "debugging interface" in the compiled code? Really?

The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

I'm shocked, Shocked!...

The firewalls we put in come with remote admin and remote support turned off by default, and you can turn it on if you wish.

Think of it as opting-in vs opting-out. When it comes to letting anyone else into my firewall, I much prefer the opt-in method.

103 posts | registered Mar 10, 2010
alpha_dkSmack-Fu Master, in traininget Subscriptor
jump to post

markstewart wrote:
I noted they aren't identifying the block owners. I assume they are state actors and this was all very purposeful. If I had any of their gear I'd be demanding all the blocks and then null routing them (before it even hit the firewall)...

The blocks are:
205.158.110.0/24
216.129.105.0/24
(from one of the linked articles)

article wrote:
These ranges include some servers run by Barracuda Networks eg.
spam04.barracuda.com (216.129.105.22)
forum.barracudanetworks.com (216.129.105.38)
barracudacentral.org (216.129.105.40)
repsrv.barracuda.com (216.129.105.42)
mirror01.barracudacentral.com (216.129.105.94)
...

but also servers from other entities:
mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ...
frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.
utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.
everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.
mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc
outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting
...

More information about the hosts in these /24 networks can be found at:
http://cnet.robtex.com/205.158.110.html
http://cnet.robtex.com/216.129.105.html

14 posts | registered Mar 8, 2010
igor.levickiArs Praetorian
jump to post

0xD3F3ND3R wrote:
The story here is not that Barracuda has a backdoor, it's that IT people are so naive that they are shocked by it. Someone will sell you hardware and software, but they will never sell you control. If you want control, that's what you pay security consultants for.

You obviously have no clue about the subject.

My company is a vendor for banking institutions, and I know that some of them use Barracuda hardware for VPN access. Someone is most likely sweating and working overtime now because of this scandal.

When you purchase a security product (which is not cheap by the way), it should go without saying that full control should be in your hands, and that all inbound access and all remote admininstration features are disabled by default, not to mention how remote administration should not work at all even if enabled without a proper password being set. Hell, even $60 TP-Link home routers do not allow remote administration by default.

@Dilbert:

Not everyone can afford Cisco equipment, not to mention that it requires a lot of serious training to learn how to use it properly while in many companies IT is understaffed and sometimes done by people from other departments (such as software engineering) if there is no dedicated IT personnel. Moreover, Cisco IOS has its own bugs and vulnerabilities, and without active support subscription (which adds to your expenses) you cannot have access to firmware updates.

Finally, Cisco is usually overkill if what you need is only multiple LAN-to-LAN VPN, not to mention that their latest and fully supported hardware accelerated routers offering such features (19xx, 29xx and 39xx series) cost an arm and leg ($3500+).

Lets not forget that the choice of hardware and software is not the main issue here -- much bigger and more serious issue is how nobody using Barracuda products didn't catch that open port during security audit.
Last edited by igor.levicki on Thu Jan 24, 2013 11:52 am

521 posts | registered Jan 20, 2012

Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.

Channel Ars Technica

← Previous story Next story →

Promoted Comments

Promoted Comments

reader comments

Channel Ars Technica