Feeds

back to article Backdoor root login found in Barracuda gear - and Barracuda is OK with this

Multiple Barracuda Networks products feature an undocumented backdoor, leaving widely deployed data centre kit vulnerable to hijacking. Secret privileged user accounts were found in various Barracuda appliances, including its flagship Spam and Virus Firewall, Web Application Firewall, Web Filter, SSL VPN, and other gear. The …

COMMENTS

This topic is closed for new posts.

Page:

Big Brother

Well this is certainly....

Well this is certainly going to be interesting. I can see the tinfoil hat and black helicopter crowd queuing up ready to start going ape shit.

This was starting off to be a slow news year, but this should be fun to watch.... /popcorn

4
12

This post has been deleted by a moderator

Coat

Re: Well this is certainly....

Eadon, it was a joke, there is this thing call sarcasm...

have some more kool-aid...

7
8
Silver badge
Paris Hilton

Re: Well this is certainly....

> This was starting off to be a slow news year

Don't know whether you have been buried under the Jehovah Stone recently, but so far in this year:

>Backdoor root login found in Barracuda gear, Barracuda is OK with this

>'Gozi Trojan trio' blamed for multimillion-dollar bank raid spree

>Surprised? Old Java exploit helped spread Red October spyware

>Latest Java patch is not enough, warns US gov: Axe plugins NOW

>DefenseCode turns up Linksys zero-day

>'Better than Adobe' Foxit PDF plugin hit by worse-than-Adobe 0-day

>Kill that Java plugin now! New 0-day exploit running wild online

>Hellish XML demon exorcised from Windows, IE bug stays

>Security bods rip off Microsoft's 'sticking plaster' IE bug fix

>Microsoft scrambles to thwart new Internet Explorer 0-day attack

If the slowness continues this way, we will all be pwned, enslaved by aliens from Zarkor IV (cunningly disguised as sexually appealing females of the genus homo sapiens sapiens) or communist before the end of the year.

4
2

This post has been deleted by a moderator

Anonymous Coward

Re: it was a joke

Was it? It must have stopped being funny some time between when you wrote it and when I read it.

12
3

This post has been deleted by its author

Anonymous Coward

Re: Well this is certainly....

Wally, would you like to explain to the class what you were being sarcastic about? It sounds like you were taking the piss out of people concerned about the security of their data - "those paranoid folks who don't trust cloud vendors with their data and all." (Notice the sarcasm here?)

If it was an honest mistake on Barracuda's part, what a fukup. Though I reserve the right to further suspicion.

3
2
Silver badge
Windows

Re: Well this is certainly....

"@Every Windows user out there. I despise you and have spent way to much time trying to force my views down other peoples throat, disregarding their choice in OS because Linux is great and its great because i say so".

There, fixed that for you.

3
1

Re: Well this is certainly....

Can only assume your a Windows user and used to running systems with backdoors

1
4

This post has been deleted by its author

Holmes

Re: Well this is certainly....

'explaining what a backdoor is' - surely, that's easy: it's the door that's round the back; as opposed to the front door, which is normally, but not always, at the front (and occasionally on the side).

No, no need to thank me :-)

3
0
Anonymous Coward

Re: 'explaining what a backdoor is'

Shirley if you search the term on Google you will find plenty of vids showing its use!

0
0
Bronze badge
Linux

Re: MSCE types

Oh, yes, the dreaded MCSE, aka

Microsoft

Certified

Shutdown

Engineer.

Useless in a Linux shop, yet we get at least a dozen a month looking for positions. What a waste of time!

0
0
Bronze badge
FAIL

Security by obscurity

Not the best way, and why do the "customers" have to find out that this route exists, even if it is nigh on impossible to get into, from people other than Barracuda?

Bad form in my opinion and would make me trust them a lot less.

9
0

Re: Security by obscurity

In my dealings with Barracuda they have always been forthcoming with the fact they hold their own login points. They are, after-all, a managed-solution appliance provider.

I can't remember the exact wording of their T&C's, but I believe it's in there already.

The fact they had thought to clamp down the IP range in the first place and are now pushing an update to help secure things a bit more is good.

I am not saying that their solution is appropriate for everyone in all fields, but their are many applications where this is perfectly acceptable.

Karl P

2
6
Anonymous Coward

Re: Security by obscurity

Erm...

The article makes multiple use of the word "undocumented", including, interestingly: "Steve Pao, VP for Product Management at Barracuda Networks, told El Reg that the undocumented superuser accounts were established..."

The source alert also makes multiple use of the word "undocumented", e.g. "This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog (see Workaround)."

...so I'm inclined to think that these backdoors are, in fact, undocumented.

5
0
Anonymous Coward

Backdoor in security device is acceptable?

"The fact they had thought to clamp down the IP range in the first place"

What if someone got control of an upstream router and redirected traffic traffic specific to that IP range?

"I am not saying that their solution is appropriate for everyone in all fields, but their are many applications where this is perfectly acceptable".

But totally unacceptable in security devices, any such vulnerability will eventually be exploited.

7
0
Anonymous Coward

Barracuda Terms & Conditions ...

"I can't remember the exact wording of their T&C's, but I believe it's in there already"

'Customer agrees to allow Barracuda Networks to collect information ("Statistics") from their Barracuda Networks .. "Statistics" include, but are not limited to, the number of messages .. and other statistics` link

2
0
Unhappy

Re: totally unacceptable in security devices

Agreed - I see Barracuda potentially losing some major blue chippies from their client rosters (but possibly gaining sales from those that enjoy close ties with dodgy guvmints - not excluding ours of course!)

0
0

This post has been deleted by its author

Silver badge
FAIL

FIELD/SERVICE ?

2
0
Silver badge

rms/rms

0
0

This post has been deleted by a moderator

Anonymous Coward

Re: ANY closed source software might have secret back doors

Wrong. Under NDA, with a contract, and after payment, you can (or could) get the sourcecode for almost anything. I used to work for a company that paid for the source code for every operating system that we ran. Was it worth it? I don't know, that wasn't my responsibility or decision. I actually have the sourcecode (from 1992) for the system that ran the shop floor...it's about 5 kilos of microfiche.

1
6
Bronze badge

Re: ANY closed source software might have secret back doors

Aren't Barracuda appliances built on open source software?

Linux, Spamassassin, ClamAV, etc

https://www.barracudanetworks.com/company/opensource

3
3
Anonymous Coward

@AC 18:11GMT - Re: ANY closed source software might have secret back doors

And how do you know it is the same source that has been compiled into your binaries ? How can you tell the source code has not been slightly edited specially for you ? How can you tell if that source code hasn't been altered just after they gave you a copy ?

Asking for the source code of a closed proprietary software is useless, those vendors were laughing in your back counting the money.

5
2
Silver badge

@Eadon (was:Re: ANY closed source software might have secret back doors)

Eadon, have you ever read Ken Thompson's ACM paper "Reflections on Trusting Trust" from 1984? It's a good read, and the concepts haven't changed in the intervening quarter century. See:

http://cm.bell-labs.com/who/ken/trust.html

Basically, who built your initial, basic binary tool chain? It wasn't you, that's for certain ... and it's trivially easy for me to insert code into the assembler and/or linker to include back doors in any given executable. This works even when that code isn't actually in the source fed into the compiler. It even works if you re-compile the assembler & linker from "inspected, clean" source.

In other words, if you haven't inspected the basic tool chain at a ones & zeros level, and then read and understood every single line of the source in your system before compiling it, you're being just as faithful as anyone running Redmond or Cupertino.

So get off your fucking high-horse, youngster. You know not of what you speak.

16
1
Anonymous Coward

Re: @AC 18:11GMT - ANY closed source software might have secret back doors

Noooo...... I'm sure AC 18:11GMT was careful to spec exactly the same build environment running identical versions of every tool and then painstakingly compile the entire suite against identical versions of every dependency using identical compiler arguments before confirming the binary diffs or hashes of every file he produced against those originally provided. Having first read and understood every line of the source, of course.

/sarc

The point of (F)OSS, AC18:11, is it's DEVELOPED in the open - so myriad interested parties pick over the areas which most interest each of them throught the software's evolution, as they all work to improve THEIR software. Rather than dumping gigabytes of poorly designed and craply commented code on some hapless employee and saying "check that", he'd be working among a large group with compatible goals, public documentation and public mailing lists on which to openly discuss the code with its developers and other interested parties - like independent "security researchers".

0
1
Anonymous Coward

Re: @AC 18:54GMT

1) because we licensed the compilers and used comparison programs running on our internally developed operating sytem (I think it was system 5 release 3.2 at that time)

2) why would we need to know that?

3) I'm sure it was altered, several updated versions were released after we PURCHASED a copy.

I'm sure it wasn't useless as I don't think we payed for it to validate it, but rather to use it as an example and add/change functionality.

0
0
Anonymous Coward

Re: @AC 20:36GMT

And you think only closed sourse software shops are evil? Or do you think only OSS developers are nice/good/upstanding/righteous?

I've had developers take me through their proprietary code to explain exactly why a long login banner caused certain logins to fail messily (not just make it unable for them to log in).

The problem with people like you is that your attitude makes be think more highly of the scum at Microsoft whom I've been cursing since 1988 - the ones that write and maintain the Bill Gates virus (Windows.)

1
0

Re: ANY closed source software might have secret back doors

" But even if you do not personally inspect it, you have more reassurance anyway - for, way with Linux, you can be sure that back doors are less likely to be inserted - they do not get past Torvalds easily"

Im pretty sure i read a news report a few years ago on this very site that the NSA inserted a backdoor in a Linux irq client included on some distributions that went unnoticed for a number of years even though it was open source. Old Linus missed that one eh?

Thats the trouble, who the fuck wants to trawl through source code and compile the bugger themselves when they can just use the binaries that come with the distro?

Linux is more secure than say Windows (which also had/has? MS sanctioned NSA backdoors, to keep the rest of the malware company) but its not bulletproof by any means.

2
2
Linux

Re: ANY closed source software might have secret back doors

Sure you can get the source code. But unless you build it yourself, you can't know that what you are running matches the source code you were given under the contracted NDA.

That always amuses me about the Microsoft claims of "but we gave the organization the source code, so it's the same as Open Source/Free Software, honest !"

Unless the organization has the build system as well, and does their own builds, then no it really isn't the same.

The wonderful thing about the Linux-based Open Source/Free Software releases is that you get the build systems as well and they're really widely understood - so if you're really paranoid yes you *can* build everything yourself. From scratch - just like CentOS does.

Of course then you have to trust the compiler, but now we're going into an interesting recursive problem :-).

http://cm.bell-labs.com/who/ken/trust.html

Jeremy.

3
2
Silver badge

Re: @Eadon (was:ANY closed source software might have secret back doors) (@ jake)

"Basically, who built your initial, basic binary tool chain? It wasn't you, that's for certain ... and it's trivially easy for me to insert code into the assembler and/or linker to include back doors in any given executable"

Partial solutions to this:

- Compile the source yourself, if possible with an open source compiler.

- Do the same with the other elements in your toolchain.

While I agree that the 'Trusting trust' document should be read -and understood- by every IT professional, and it makes quite clear that you can't completely trust ANY system, your comment seems to be arguing that, as we can't make any system 100 % safe, we shouldn't bother trying. Imagine if we used this same argument in other areas. "As we can't totally eradicate crime, we shouldn't bother to have law enforcement" or, "As we can't totally eradicate disease, we shouldn't bother to have doctors and hospitals"...

I understand that the solutions I listed are difficult, time consuming and hence expensive, but there usually is a point of balance between the security measures and and the level of protection. As an example, I'd say that just using the first solution (open source + recompile) would either lower the risk a 95 %* or leave a backdoor for some ITs pook that died of old age in 1997.

:-)

*: Yep, you guessed it, I took that figure from my backside. But you get the general idea

1
4
Silver badge

Re: @Eadon (was:ANY closed source software might have secret back doors) (@ jake)

"Compile the source yourself, if possible with an open source compiler."

You don't actually understand the issue, do you? Did you read & understand ken's article?

"your comment seems to be arguing that, as we can't make any system 100 % safe, we shouldn't bother trying."

No. My comment is arguing that if you don't actually understand what you are talking about, it's probably better to keep your mouth shut and be assumed ignorant, than open it and prove your ignorance to all and sundry.

""As we can't totally eradicate crime, we shouldn't bother to have law enforcement" or, "As we can't totally eradicate disease, we shouldn't bother to have doctors and hospitals"..."

Reductio ad absurdum rarely works in this forum.

"a backdoor for some ITs pook that died of old age in 1997."

ken's not dead. He works for the gootards.

5
2
Silver badge

Re: @Eadon (was:ANY closed source software might have secret back doors) (@ jake)++

Jake wrote:

"You don't actually understand the issue, do you? Did you read & understand ken's article?"

It's not rocket science. The 'Trusting trust article" says that you can't trust any system that you haven't created yourself from the ground up, and I wholeheartedly agree with that. I think my comment makes this clear enough.

"My comment is arguing that if you don't actually understand what you are talking about, it's probably better to keep your mouth shut and be assumed ignorant, than open it and prove your ignorance to all and sundry."

Would you be so kind as to point out exactly what parts of my comment make you think I "don't actually understand" what I'm talking about?. If you don't, I'll consider your answer just as a nursery-level ad hominem.

"Reductio ad absurdum rarely works in this forum."

Or so you say. It would help if you were able to explain why exactly this particular 'reductio' is wrong. Otherwise, other readers might come to the conclusion that you're FOS.

"ken's not dead. He works for the gootards."

If you think that when I wrote "some ITs pook that died of old age in 1997." (sorry for the misplaced whitespace :-) I was making a reference to Ken Thompson, then you're seriously lacking reading comprehension.

To clarify my point:

- Security can be greatly improved by taking partial measures, without the costs jumping to infinity. That's why I used the reductio ab absurdum argument. IT professionals usually try to get to a compromise between costs and results. Just like everybody else. Using FOSS can give you a big advantage security-wise for a relatively low cost, but there is no such a thing as '100% safe', at least in IT.

- I can´t totally subscribe what Eadon said, but he is at least partially right, and IMHO some of the arguments you made against his comment are quite wrong, and I was just pointing that out.

PD: Seriously, jake, why all the hate?

3
1

Re: ANY closed source software might have secret back doors

Yes and so are many components of Apple and even Windows (the Windows TCP/IP stack I believe was originally 'lifted' from the opensource world) - like them It doesn’t mean that Barracuda devices are opensource though.

If the components were GPLv3 they would have to be though I believe.

0
0
Silver badge

Re: Old Linus missed that one eh?

IRQ =/= Linux Kernel. Linus reviews the kernel, not all the software in any distributions which might be made.

Yes, if you compare the Windows kernel to the Linux kernel and ignore the add ons, the two are roughly equally in terms of security vulnerabilities. The difference is, Windows sells what ought to be the add ons as an inherent part of the kernel, and further used that position as part of their legal defense for incorporating IE (which is clearly an app) into the OS way back in the dark ages of computing.

0
0

Re: ANY closed source software might have secret back doors

A backdoor might masquerade as a bug - and don't tell me there are not plenty of those in linux.

0
0

This post has been deleted by a moderator

2 Class C's = "large range"?

I'm a little confused: how is a single pair of Class C's a "large range" of public internet addresses? And Barracuda doesn't control them both? Really? I find that hard to believe. I know public IP's are harder to come by than they used to be, but you'd think Barracuda could manage it.

I'm not saying this is a case of major fail (any RAS architect worth his title knows how to set up remote tech support access without such stupidly large backdoors), but I don't think it is as bad as advertised.

3
2
FAIL

Re: 2 Class C's = "large range"?

CIDR has been around for 20 years now. Why do so many people who allegedly know about IT still think that class a/b/c networks exist?

3
3

Re: 2 Class C's = "large range"?

Yes I know about CIDR. But saying "Class C" is a lot shorter than "network with a 24-bit netmask)"

5
1

Re: 2 Class C's = "large range"?

"A /24" is a) shorter than "class C", and b) factually correct. Both are virtues, no?

2
2

This post has been deleted by its author

Anonymous Coward

Did you mean to use the troll icon?

Barracuda Networks is an American owned and run company in Cambell, CA. Unlike Cisco, they don't have any development activities in China.

0
1
Anonymous Coward

Re: Did you mean to use the troll icon?

Of course not. It's not "trolling". It's something called sarcasm - in this case triggered by subjection to an overwhelming inundation of hypocrisy, irony and schadenfreude.

0
0
Anonymous Coward

Shucks, those pesky commies...

...and so soon after the US gov kindly took the trouble to orchestrate a public display to the world that we shouldn't be using networking kit from these Chinese companies... for this very reason! We obviously can't trust those stinking commies. I bet all the fools who bought this cheap Chinese crap are wishing they'd stuck with good ol' trustworthy uncle sam now! It'd have been worth paying the extra for a good ol' US name like Barracuda Networks Inc. which you know you can trust. The morons got what they deserved if you ask me.

1
0
Silver badge

Service Entrance

See title for more appropriate term than backdoor.

0
1
Anonymous Coward

Re: Service Entrance

Undocumented/undisclosed/hidden "Service Entrance" = "backdoor"

2
1

Page:

This topic is closed for new posts.