Secret backdoors found in security appliances from Barracuda Networks
A variety of security appliances sold by Barracuda Networks were found to contain secret backdoors that allow outsiders with the right knowledge to gain remote access. This shocking revelation was revealed in an advisory published by the SEC Consult Vulnerability Lab earlier this week.
The devices are apparently configured to listen to a specific list of IP ranges, and in at least one instance, will accept a username of "product" and a weak password from a remote user to gain shell access. Some of these IP addresses belong to Barracuda, though many of them belong to unaffiliated entities.
What is concerning is not only that these accounts are entirely undocumented, but that they can only be disabled via a hidden "expert options" dialog, according to the advisory. Moreover, the timestamp of a file enabling this functionality was dated 2003, suggesting that the backdoor may have been in place for a decade.
Barracuda Networks has since confirmed that the problem exists, and advised customers to immediately update the security definitions on their devices to version 2.0.5. According to the two security advisories posted on Wednesday, all appliances with the exception of the Barracuda Backup Server, Barracuda Firewall and Barracuda NG Firewall "are potentially affected."
"Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses," noted the company in one of the related security advisories.