MNN - Mother Nature Network

Networking and security devices sold by Barracuda Networks have several built-in backdoors, or secret administrative accounts, which may have been there since the company was founded 10 years ago.

 

That's the upshot of a new advisory from Vienna-based information-security company SEC Consult, which contacted Barracuda in November about its discovery and released the news today (Jan. 24), one day after Barracuda pushed out a partial patch.

 

Attackers aware of the backdoors could have hijacked security software and hardware at any of Barracuda's 150,000 corporate clients worldwide, leading to unimaginable amounts of data theft. It's not known whether the backdoors were ever exploited.

 

The backdoors allow remote administrator access to at least seven different types of Barracuda devices, presumably for purposes of tech support.

 

But the security may have been improper. While the backdoors permitted logins only from certain ranges of Internet Protocol addresses occupied by Barracuda, dozens of other organizations also occupy IP addresses in those ranges.

 

"The public ranges include servers run by Barracuda Networks, Inc., but also servers from other, unaffiliated entities — all of whom can access SSH [secure shell protocol] on all affected Barracuda Networks appliances exposed to the Internet," said the SEC Consult advisory, written by researcher Stefan Viehböck.

 

Even worse, one backdoor account with the username "product" allowed entry without a password.

 

"It was confirmed that this user can access the MySQL database (root@localhost with no password) eg. to add new users with administrative privileges to the appliance configuration," wrote Viehböck.

 

Viehböck added that internal timestamps and software versions "suggest that these rules might have been in place on Barracuda Networks appliances since 2003," when the company was founded.

 

Barracuda's security definition 2.0.5, pushed out yesterday (Jan. 23), only partly fixes the problem, Viehböck wrote. It eliminated seven of the backdoor accounts, but left three.

 

"According to Barracuda Networks, these accounts are essential for customer support and will not be removed," Viehböck wrote.

 

"In secure environments, it is highly undesirable to use appliances with backdoors built into them," he added, "even if only the manufacturer can access them."

 

Barracuda's patch also fixed a related security hole found by SEC Consult that affected one product line's implementation of Java software.

 

Barracuda Networks, located in Campbell, Calif., makes load balancers, firewalls, filters and other devices related to corporate networking and security.

 

Its devices and yearly support subscriptions range in price from several hundred dollars to more than $100,000 each.

 

Barracuda Networks representatives did not immediately return requests for comment.