Backdoor accounts found in networking and security appliances from Barracuda Networks

Attackers can use the accounts to gain root access on the devices from certain IP address ranges, researchers say

A variety of networking and security appliances from Barracuda Networks contain backdoor accounts that could allow attackers to log in remotely over SSH (Secure Shell) and gain administrative, or root, access on the devices.

The backdoor accounts were discovered by security researchers from Austria-based security firm SEC Consult. These accounts are not documented, they cannot be removed and can be accessed over SSH, they said in a security advisory published Thursday.

Furthermore, the appliances are configured by default to accept SSH connections from certain ranges of public IP addresses. Some servers located in those IP ranges are owned by Barracuda Networks, but others are owned by third-party organizations and individuals.

An attacker who compromises any server from the whitelisted IP ranges can gain administrative rights on Barracuda Networks appliances connected to the Internet by using the backdoor accounts, the SEC Consult researchers warned.

For example, one particular backdoor account called "product" can be used to log into a Barracuda appliance, access its MySQL database without a password and add new administrative users to the device's configuration, the researchers said. On the Barracuda SSL VPN appliance it was also possible to enable diagnostic or debugging functionality which could be used to gain root access, they said.

Barracuda Networks acknowledged the problem on Wednesday and advised customers to update the Security Definitions on their devices to version 2.0.5 immediately.

"Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses," the company said in an advisory on its website.

According to the company, all appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall are potentially affected. This includes: Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN.

The company noted that the security definitions update "drastically minimizes potential attack vectors," but advised customers who want to disable the remote support access functionality completely to contact its technical support department.

Tags: firewalls, patches, intrusion, security, Networking, Barracuda Networks, Exploits / vulnerabilities

Coding error protects some Android apps from Heartbleed

READ THIS ARTICLE
MORE IN Government
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get Powerful Protection for All of Your Mobile Devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.