Backdoors reside in networking and security appliances from Barracuda Networks that could allow attackers to log in remotely over SSH (Secure Shell) and gain administrative, or root, access on the devices.
The backdoor accounts ended up discovered by security researchers from Austria-based security firm SEC Consult. These accounts are not documented, they cannot be removed and can be accessed over SSH, researchers said in a security advisory.
Furthermore, the default configurations in the appliances accept SSH connections from certain ranges of public IP addresses. Some servers located in those IP ranges are Barracuda Networks’, but third-party organizations and individuals own the others.
An attacker who compromises any server from the whitelisted IP ranges can gain administrative rights on Barracuda Networks appliances connected to the Internet by using the backdoor accounts, the SEC Consult researchers warned.
In one case, a backdoor account called “product” can log into a Barracuda appliance, access its MySQL database without a password and add new administrative users to the device’s configuration, the researchers said. On the Barracuda SSL VPN appliance it was also possible to enable diagnostic or debugging functionality which could gain root access, they said.
Barracuda Networks acknowledged the problem last week and advised customers to update the Security Definitions on their devices to version 2.0.5 immediately.
“Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses,” the company said.
All appliances with the exception of the Barracuda Backup Server, Barracuda Firewall, and Barracuda NG Firewall potentially suffer from the issue, company officials said.
This includes: Barracuda Spam and Virus Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Web Application Firewall, Barracuda Link Balancer, Barracuda Load Balancer, Barracuda SSL VPN.
The company noted the security definitions update “drastically minimizes potential attack vectors,” but advised customers who want to disable the remote support access functionality completely to contact its technical support department.