

Critical SSH Backdoor in multiple Barracuda Networks Products - alxndr
http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0221.html

======
rdl
Looks like it's worth avoiding Barracuda appliances even after this patch,
since they're retaining the "remote" account.

As to why they did this -- feature checklist compatibility with Huawei and ZTE
is my guess.

Remember most of these do intercept -- they have an SSL CA cert which is
trusted by all your business client devices, to do MITM. So, if you pwn the
box, you can pwn all the SSL traffic at the target company, too. It's an
excellent place to attack.

~~~
atamyrat
> Remember most of these do intercept -- they have an SSL CA cert which is
> trusted by all your business client devices, to do MITM. So, if you pwn the
> box, you can pwn all the SSL traffic at the target company, too. It's an
> excellent place to attack.

I really hope this certificate is not installed/trusted by default on major
browsers. Can somebody confirm it?

EDIT:

<https://www.barracudanetworks.com/news/press_release/33>

"Transparent deployment of this enhanced SSL Inspection feature requires
deployment of a trusted root certificate on client Web browsers."

~~~
lawnchair_larry
No, the way these work is your IT deploys the internal CA cert as trusted on
all systems in the enterprise.

------
jtchang
If you are going to put backdoors (I can't believe I am even saying this) on
your product then it might be good to at least disable normal password logins
and only do SSH key exchange.

That said why the hell are there UNDOCUMENTED backdoors? I mean it makes sense
from a customer support perspective but really?

~~~
frozenport
If you think thats bad, why are there undocumented backdoors that don't
immediately trace back to Barracuda?

~~~
im3w1l
What do you mean?

~~~
dsr_
If you've got SSHd running on an unexpected port, you could put in a banner:
"Barracuda field service access".

If you've got accounts on the system, they can have GECOS fields saying the
same.

And put it in the manual. "Disabling the fieldservice account will prevent
service personnel from logging in. Customers with active support contracts
should not do so."

White hats tell you what they're doing and why.

~~~
jrockway
Does this add any security? Your fake sshd can also say "Barracuda field
service access".

~~~
lcampbell
No, it's just to explicitly inform the customer that Barracuda has shell
access to the appliance. These accounts were undocumented.

~~~
dredmorbius
Reminds me of a situation I encountered at a prior gig. We were getting random
log-ins to an administrative account from a user we didn't recognize. I sent
email around the group asking if anyone knew what was up. Nope.

Started tracing IPs. Turned out it was coming from a gateway used by our
corporate parent (very large organization). Further tracing localized it to
our office.

Turned out my seatmate (who I'd included on the initial email and who had
heard me muttering over this for 2 days) was the guy who had some random bozo
named account that he was using for test purposes ... but had neglected to
tell anyone about.

Sort of pissed me off.

One reason for documenting these backdoors is so that, if you're OK with their
legitimate use, you can properly audit and account for their legitimate use.
That said: given shared keys and common access, I'd be inclined to consider
the device unsecurable.

------
neonkiwi
There's a very unfortunate [dead] comment by Intermernet in this thread.
Unfortunate because it might be a good solution for someone who administers
the affected hardware and wants to remove the backdoor after patching (as per
the _Workaround_ section in the OP, _"Barracuda Networks offers an expert
option that disables the SSH daemon. For assistance contact the Barracuda
Networks Support."_ )

Note, I have no idea why the user is dead, nor if this solution actually
works, but I'm posting Intermernet's post below:

 _The workaround mentioned involves:

1\. Log in to the device and go to the "Advanced" tab on the web GUI.

2\. Add "&expert=1" to the end of the URL.

3\. Click on the red "Expert" button.

4\. Scroll to the bottom and disable remote support.

You will need to reverse this process if you ever actually require the
barracuda remote support._

------
absconditus
I attempted to view this URL at work. It was blocked by our Barracuda filter.

"The link you are accessing has been blocked by the Barracuda Web Filter
because it contains spyware. The name of the spyware is:
Spyware.Exploit.Misc.MWBR"

~~~
obituary_latte
Well, now you know how to fix that.

With a properly formatted request to the department responsible for
maintaining the web filter, of course.

------
EvanAnderson
It's unfathomable to me why any company in the IT security industry would ship
a product with an undocumented remote access mechanism built-in. This seems
like a sure way, when the mechanism is inevitably discovered, to cause harm to
your company's reputation.

I've always felt vaguely distrustful of Barracuda anyway, but it's nice to
have some facts to cite when not recommending their products.

------
darkarmani
Here is the timeline if you're interested - 14 days from contact to
publication:

2013-01-10: Sending advisory and proof of concept exploit via encrypted
channel.

2013-01-14: Vendor confirms receipt and provides BNSEC IDs.

2013-01-14: Vendor sends listing of reported vulnerabilities and release
schedule.

2013-01-21: Conference call - discussing implemented solutions.

2013-01-23: Barracuda Networks releases alert & secdef

2013-01-24: SEC Consult releases coordinated security advisory.

~~~
jlgaddis
From the post to f-d:

> 2012-11-29: Contacting vendor. > 2012-11-29: Sending advisory and proof of
> concept exploit via encrypted channel.

~~~
darkarmani
Oops. You are completely correct. I posted the timeline for the follow-up
advisory! And it's too late to edit.

------
mpyne
I wonder how much it is worth to crack the root password that was left
embedded in all the Barracuda devices even with the patch applied?

~~~
sarabob
To a competitor? Depends if people blame barracuda or can trace the cracking
back to you.

Are you thinking of switching a bitcoin mining operation into a cracking-
passwords-to-put-companies-out-of-business operation?

~~~
mpyne
I'm more afraid of the nebulous criminal underground or national entities than
I am of Barracuda's competitors. I'm not referring at all to Bitcoin (or
putting companies out of busines...), it's surely cheaper to just use
available "cloud cracking" assets directly (which I'm also sure is already
being done).

Since it's apparently unclear, I'm not talking about taking action myself, but
I will say that due diligence for any company using Barracuda hardware means
that they should be asking the same question themselves.

------
dsl
The "patch" disables some but not all backdoor accounts on the machine. The
root account is still present with password auth.

------
Aloha
I worked for Barracuda, I left, because I felt the company was slimy. On the
other hand, from a customer service point of view, this supposed back door is
great, it makes the product much easier to support, for a customer base who is
honestly, most of the time not that technically astute. If they were more
astute, they would have bought a different product.

------
dredmorbius
Monitoring and support backdoors are common and pervasive in _most_ networking
gear. This isn't something that should be considered lightly.

There's been some hullaboo about Chinese manufacturers putting backdoor access
into their devices, Huawei Technologies and ZTE Corporation particularly:
[http://www.infosecisland.com/blogview/21930-China-Has-
Backdo...](http://www.infosecisland.com/blogview/21930-China-Has-Backdoor-
Access-to-Eighty-Percent-of-Communications.html)

Legally mandated backdoors exist on Cisco gear as well:
[http://www.forbes.com/2010/02/03/hackers-networking-
equipmen...](http://www.forbes.com/2010/02/03/hackers-networking-equipment-
technology-security-cisco.html)

------
btb
Wow thats amazing. Honestly feel bad for any IT admin who bought any of their
products not knowing about those backdoors(assuming they arent disclosed
anywhere). I personally would be extremely upset to read that A)they had
backdoors in the box they sold me, and that B)they intend to keep them intact
for "customer support"!

------
mcpherrinm
I've had an upswing in spam today on my systems, and it looks like a lot of
them have headers indicating they've gone through a Barracuda device. It
doesn't surprise me that spammers are all over this.

------
d0c5
Why did they write pubic key in the solutions bit? Surely a sly joke..

------
martinced
Knowing not much about network appliances and their role etc., when you're
building a company, starting from scratch, are there good rule of thumb to not
fall for the "enterprisey compromisey" piece of junk that such companies
(Huawei -- state-sponsored espionnage-- ZTE, Barracuda, etc.) do sell?

Is there _anything_ you can do to be at least a little bit safe?

Are there vendors that still value security or is it just accepted now that
MITM and state-sponsored attacks are a normal way of operating?

~~~
papsosouid
The easiest way is to just not buy that crap at all. Computers are cheap, open
source software is available, put the two together.

~~~
danielweber
People do not want to maintain that stuff. Your comparative advantage as a
startup is not running your own firewall.

Nb: I am employed by a Barracuda competitor, but would probably still advise
against trying to run things on your own.

~~~
dredmorbius
Which is where leveraging Open Source comes into play. We have ROMs for home
networking gear, we have bootable distros for security purposes, we have open
source builds for Android. No reason similar projects couldn't be aimed at
enterprise type kit. You'd still require hardware manufacturers, though open
standards and whitebox builds might come into being. And there'd be distro
wars, but very likely 2-3 lead contenders that would be the default safe
choice.

