Feeds

back to article Backdoor root login found in Barracuda gear - and Barracuda is OK with this

Multiple Barracuda Networks products feature an undocumented backdoor, leaving widely deployed data centre kit vulnerable to hijacking. Secret privileged user accounts were found in various Barracuda appliances, including its flagship Spam and Virus Firewall, Web Application Firewall, Web Filter, SSL VPN, and other gear. The …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Re: Service Entrance

And just how else is the provider supposed to offer his support .....

I don't know how BMW perform those detailed diagnostics on my car, it's not written in the manual, should I also consider this as the backdoor approach. As long as it presents no danger to me then I accept the fact that a "service port" exists even though it is undocumented.

By signing a service contract with over-the-wire support, it is quite clear that the client accepts some kind of risk.

My data is supposed to be safe within a data centre but at the same time the service provider has access to my servers be it documented or not, that is the price I have to pay for requiring his services..

It is almost impossible for 99.9% of clients to verify whether or not there are backdoors hidden away within code/hardware. It is far safer to simply think that there are and that there always will be backdoors and to arrange your security around that fact. Anything connected to the web is inherently "unsafe"....

0
2
FAIL

Re: Service Entrance

I don't know how BMW perform those detailed diagnostics on my car, it's not written in the manual, should I also consider this as the backdoor approach. As long as it presents no danger to me then I accept the fact that a "service port" exists even though it is undocumented.

It is written in the maintenance manuals. I've also never relied on the BMW computer systems to protect my sensitive data. If they need to maintain the device there is no reason to hide the account they use to do it.

0
1
Paris Hilton

Re: Service Entrance

That's what she said.

1
0
Silver badge

Re: Service Entrance

If your data is so sensitive then why is it on a public network......

0
1
Anonymous Coward

Re: Service Entrance on BMWs and others

There was extensive reportage (check out The Register and nakedsecurity,sophos.com) on the stealing BMWs and other high-end wheelers by spoofing the OBD ports.

Lovely little wrap was "Ultimately, it's worth remembering - as BMW admits - that there's "no such thing as an unstealable car"."

Repositioning, there seems to be no such thing as an unstealable Barracude protected enterprise.

0
0
Vic
Silver badge

Re: Service Entrance

> And just how else is the provider supposed to offer his support .....

Key-based login.

Vic.

0
0
Pirate

Wow

Amazing that the iptables rules they use were generated in 2003... At least that's what it shows in the dump output if you follow the first link in the article.

And more curious-er - a quick whois shows the two external IP ranges aren't even directly registered to Barracuda. One is out of Layer42's block, the other from XO.

So after 9 years, Barracuda hasn't changed or dropped ISPs nor network ranges. Hopefully...

3
0

This post has been deleted by its author

Bronze badge

SSH scans?

From my recent experience, there are people who do SSH scans looking for open SSH ports and throwing LOTS of account names up to see if anything sticks. I have a home network with a "public" SSH port and it gets scanned all the time (about 1/day). Yes, they fail (but fill up my logs) but they are out there.

Be afraid, be very afraid!

0
0
Silver badge

Re: SSH scans?

I reckon you are lucky if you are sniffed only once a day. One off my colleagues opened up SSH on his home NAS and is being hit anywhere between 10 and 30 times per day... I didn't beleive him till he should me the logs... We verified some of the IPs, no one constant location and scattered all over the world....( Could have been spoofed IPs but no way to know)

If SSH is available, the Password Authentication should at leat be set to off and authentication by certificate should be the only method publically available. and no ROOT on SSH.

1
1

Re: SSH scans?

My rackspace server has no firewall for technical reasons and got > 5000 hits/day until I put iptables to block wrong attempts for an hour. Now its only 30 a day. Root is blocked too. But rackspace has acres of ip ranges that are allowef through.

0
0
Silver badge

Re: SSH scans?

Move SSH off of port 22. That way the people running scans won't find it. Any determined attacker focusing on you specifically is going to scan the whole range, but at least opportunistic script kiddies won't waste your bandwidth and clutter your logs.

1
0

Re: SSH scans?

Moved my ssh to a different port, plus I put an ipchains wrapper around that port to block incoming ips for 5 mins on three consecutive failed ssh logins, which nicely honeypots anyone trying a brute force attack that finds the port in the first place. Haven't seen anything in the logs since I moved the port, so your average random attack doesn't bother with a port scan, just looking for low hanging fruit.

You could also use a port knock sequence if you felt inclined, or only use shared keys for access.

Leaving it unprotected on the standard port does expose you to spammy attacks,

0
0
Vic
Silver badge

Re: SSH scans?

> block incoming ips for 5 mins on three consecutive failed ssh logins,

Don't block - DROP.

This leaves the attacker with dangling TCP connections. It consumes more of his resources and slows down his progress...

Vic.

0
0
Happy

...firewall off port 22 completely.

I don't know much about networking, but I can't see that helping as the paragraph before that mentioned IP ranges with port 24.

0
2

Re: ...firewall off port 22 completely.

Nope, sorry, no mention of port 24 anywhere. The paragraph you're referring to did mention some /24 subnets. 192.168.200.0/24 means the addresses from 192.168.200.0 to 192.168.200.255. Go and read about subnets and netmasks

2
0
Bronze badge
Boffin

Re: ...firewall off port 22 completely.

Henry, Michael's remark is a good example of why, although /24 is "factually correct" and "shorter than Class C", it is less informative to people who are unfamiliar with networking jargon.

You are correct, but failing to communicate.

4
1
Anonymous Coward

Re: ...firewall off port 22 completely.

"Henry, Michael's remark is a good example of why, although /24 is "factually correct" and "shorter than Class C", it is less informative to people who are unfamiliar with networking jargon."

Seems to me that "Class C" would also come under networking jargon ...

4
2
Silver badge
WTF?

Backdoors are OK for US products but Chinese products watch out

Huawei and ZTE get accused of having back doors but none have been found but they get barred from contracts.

Yet this US supplier proudly confirms back doors.

Why does the US Congress and those Australian numb-nuts get real?

1
0
Silver badge
Black Helicopters

One question or two...

...for those who say that the fact that the backdoor can only be accessed from certain IP ranges controlled by Barracuda makes the systems affected safe:

Can't these ranges be 'spoofed'?

Wouldn't it be trivial for intelligence agencies worldwide to use those infamous 'closed rooms' at ISPs to spoof said ranges?

IMHO the black copters fit perfectly into this discussion.

1
0
Anonymous Coward

Re: One question or two...

Without hacking an upstream router, or ARP spoofing a LAN IP, etc, it's kind of hard to spoof IPs in TCP sessions, since you don't get the return packets to answer the random number challenge. UDP on the other hand...

0
0
Silver badge

Why is there even a password?

Public key auth, Barracuda. USE IT! If you must have remote access - and they sell managed solutions, so the need is understandable - you don't use passwords. You use public key. You then have exactly one online computer that holds the private key (Plus offline backup for disaster recovery) and make it act as an authenticating SSH proxy, like a MITM attacker would. That's the way to do it right.

3
1
Silver badge
Holmes

Re: Why is there even a password?

I don't know what kind of asinine jerk downvotes this.

The sad truth is that if companies do use certificates, they use self-signed certificates ... it's abysmal.

0
0
Silver badge

Time to redirect Port 22 to a terminal that only plays Zork

You are standing in a field west of a white house.

There is a mail box here.

>_

0
0
Anonymous Coward

Re: Time to redirect Port 22 to a terminal that only plays Zork

> n

You are facing the north side of a white house. There is no door here,

and all the windows are barred.

> n$£(*$&£*($&"£*($&"(£*%&$*(!!"!"£$"$"$"$000000000000000000000000000000000000000000000000

root@pxeserver:~#

4
1
Anonymous Coward

Re: Compass

If you went north, surely you would be facing the south side of whatever you encountered?

Unless you had traversed the North Pole in the process.

1
0

Re: Compass

Try it. You can play Zork online. (Be careful of the grues.)

1
0
Anonymous Coward

Open Source

I've seen one switch that a company is trying to sell to the military where you have to log in as Linux root to make configuration changes, and make changes directly to OS files at that!

This, and others mentioned earlier, are exactly the reason why all defense and aerospace conformance criteria state "no open source code" within their first few requirements.

'Proper', secure network devices have closed source embedded OS's, no backdoors (ever) and most run off hardware locked read-only memory (provable Information Assurance means no on-the-fly configuration changes, or network information survives a power cycle).

Having to gain physical access to the device PCB to add a write-enable jumper, logging in using the customers' correct secure authentication, and knowing how to navigate the strictly controlled U/I is sure to put off your average script kiddie, (unlike the average switch from the big corps. who claim to know better!)

FWIW one of my 24x1G + 2 x10G managed switches that will turn on after a night in Siberia (-46C) without heating, or work happily in a helicopter in the Saudi Desert (+85C) without cooling, and survive ballistic shock (firing from a gun) and happily goes into space, does cost nearly as much as a small car.

0
1
Silver badge
Boffin

Trusting trust

fascinated to read this, and it goes much deeper.

How can you know the actual CPU you are running on can be trusted ? How do you know there isn't some sneaky opcode which can be used to leverage an attack ?

To all those smug commentards who boasted about having the source code to a system: did you get a schematic of the CPU, and logic arrays ?

2
0

This post has been deleted by its author

Page:

This topic is closed for new posts.