back to article Backdoor root login found in Barracuda gear - and Barracuda is OK with this

Multiple Barracuda Networks products feature an undocumented backdoor, leaving widely deployed data centre kit vulnerable to hijacking. Secret privileged user accounts were found in various Barracuda appliances, including its flagship Spam and Virus Firewall, Web Application Firewall, Web Filter, SSL VPN, and other gear. The …

COMMENTS

This topic is closed for new posts.
  1. Wallyb132
    Big Brother

    Well this is certainly....

    Well this is certainly going to be interesting. I can see the tinfoil hat and black helicopter crowd queuing up ready to start going ape shit.

    This was starting off to be a slow news year, but this should be fun to watch.... /popcorn

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Well this is certainly....

      > This was starting off to be a slow news year

      Don't know whether you have been buried under the Jehovah Stone recently, but so far in this year:

      >Backdoor root login found in Barracuda gear, Barracuda is OK with this

      >'Gozi Trojan trio' blamed for multimillion-dollar bank raid spree

      >Surprised? Old Java exploit helped spread Red October spyware

      >Latest Java patch is not enough, warns US gov: Axe plugins NOW

      >DefenseCode turns up Linksys zero-day

      >'Better than Adobe' Foxit PDF plugin hit by worse-than-Adobe 0-day

      >Kill that Java plugin now! New 0-day exploit running wild online

      >Hellish XML demon exorcised from Windows, IE bug stays

      >Security bods rip off Microsoft's 'sticking plaster' IE bug fix

      >Microsoft scrambles to thwart new Internet Explorer 0-day attack

      If the slowness continues this way, we will all be pwned, enslaved by aliens from Zarkor IV (cunningly disguised as sexually appealing females of the genus homo sapiens sapiens) or communist before the end of the year.

    2. yossarianuk

      Re: Well this is certainly....

      Can only assume your a Windows user and used to running systems with backdoors

  2. Ragarath
    FAIL

    Security by obscurity

    Not the best way, and why do the "customers" have to find out that this route exists, even if it is nigh on impossible to get into, from people other than Barracuda?

    Bad form in my opinion and would make me trust them a lot less.

    1. karlp

      Re: Security by obscurity

      In my dealings with Barracuda they have always been forthcoming with the fact they hold their own login points. They are, after-all, a managed-solution appliance provider.

      I can't remember the exact wording of their T&C's, but I believe it's in there already.

      The fact they had thought to clamp down the IP range in the first place and are now pushing an update to help secure things a bit more is good.

      I am not saying that their solution is appropriate for everyone in all fields, but their are many applications where this is perfectly acceptable.

      Karl P

      1. Anonymous Coward
        Anonymous Coward

        Re: Security by obscurity

        Erm...

        The article makes multiple use of the word "undocumented", including, interestingly: "Steve Pao, VP for Product Management at Barracuda Networks, told El Reg that the undocumented superuser accounts were established..."

        The source alert also makes multiple use of the word "undocumented", e.g. "This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog (see Workaround)."

        ...so I'm inclined to think that these backdoors are, in fact, undocumented.

      2. Anonymous Coward
        Anonymous Coward

        Backdoor in security device is acceptable?

        "The fact they had thought to clamp down the IP range in the first place"

        What if someone got control of an upstream router and redirected traffic traffic specific to that IP range?

        "I am not saying that their solution is appropriate for everyone in all fields, but their are many applications where this is perfectly acceptable".

        But totally unacceptable in security devices, any such vulnerability will eventually be exploited.

        1. Blitterbug
          Unhappy

          Re: totally unacceptable in security devices

          Agreed - I see Barracuda potentially losing some major blue chippies from their client rosters (but possibly gaining sales from those that enjoy close ties with dodgy guvmints - not excluding ours of course!)

        2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Barracuda Terms & Conditions ...

        "I can't remember the exact wording of their T&C's, but I believe it's in there already"

        'Customer agrees to allow Barracuda Networks to collect information ("Statistics") from their Barracuda Networks .. "Statistics" include, but are not limited to, the number of messages .. and other statistics` link

  3. JimmyPage Silver badge
    FAIL

    FIELD/SERVICE ?

    1. Destroy All Monsters Silver badge

      rms/rms

  4. SirWired 1

    2 Class C's = "large range"?

    I'm a little confused: how is a single pair of Class C's a "large range" of public internet addresses? And Barracuda doesn't control them both? Really? I find that hard to believe. I know public IP's are harder to come by than they used to be, but you'd think Barracuda could manage it.

    I'm not saying this is a case of major fail (any RAS architect worth his title knows how to set up remote tech support access without such stupidly large backdoors), but I don't think it is as bad as advertised.

    1. Henry 8
      FAIL

      Re: 2 Class C's = "large range"?

      CIDR has been around for 20 years now. Why do so many people who allegedly know about IT still think that class a/b/c networks exist?

      1. SirWired 1

        Re: 2 Class C's = "large range"?

        Yes I know about CIDR. But saying "Class C" is a lot shorter than "network with a 24-bit netmask)"

        1. Henry 8

          Re: 2 Class C's = "large range"?

          "A /24" is a) shorter than "class C", and b) factually correct. Both are virtues, no?

          1. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Did you mean to use the troll icon?

    Barracuda Networks is an American owned and run company in Cambell, CA. Unlike Cisco, they don't have any development activities in China.

    1. Anonymous Coward
      Anonymous Coward

      Re: Did you mean to use the troll icon?

      Of course not. It's not "trolling". It's something called sarcasm - in this case triggered by subjection to an overwhelming inundation of hypocrisy, irony and schadenfreude.

  6. Anonymous Coward
    Anonymous Coward

    Shucks, those pesky commies...

    ...and so soon after the US gov kindly took the trouble to orchestrate a public display to the world that we shouldn't be using networking kit from these Chinese companies... for this very reason! We obviously can't trust those stinking commies. I bet all the fools who bought this cheap Chinese crap are wishing they'd stuck with good ol' trustworthy uncle sam now! It'd have been worth paying the extra for a good ol' US name like Barracuda Networks Inc. which you know you can trust. The morons got what they deserved if you ask me.

  7. Khaptain Silver badge

    Service Entrance

    See title for more appropriate term than backdoor.

    1. Anonymous Coward
      Anonymous Coward

      Re: Service Entrance

      Undocumented/undisclosed/hidden "Service Entrance" = "backdoor"

      1. Khaptain Silver badge

        Re: Service Entrance

        And just how else is the provider supposed to offer his support .....

        I don't know how BMW perform those detailed diagnostics on my car, it's not written in the manual, should I also consider this as the backdoor approach. As long as it presents no danger to me then I accept the fact that a "service port" exists even though it is undocumented.

        By signing a service contract with over-the-wire support, it is quite clear that the client accepts some kind of risk.

        My data is supposed to be safe within a data centre but at the same time the service provider has access to my servers be it documented or not, that is the price I have to pay for requiring his services..

        It is almost impossible for 99.9% of clients to verify whether or not there are backdoors hidden away within code/hardware. It is far safer to simply think that there are and that there always will be backdoors and to arrange your security around that fact. Anything connected to the web is inherently "unsafe"....

        1. Galidron
          FAIL

          Re: Service Entrance

          I don't know how BMW perform those detailed diagnostics on my car, it's not written in the manual, should I also consider this as the backdoor approach. As long as it presents no danger to me then I accept the fact that a "service port" exists even though it is undocumented.

          It is written in the maintenance manuals. I've also never relied on the BMW computer systems to protect my sensitive data. If they need to maintain the device there is no reason to hide the account they use to do it.

          1. Khaptain Silver badge

            Re: Service Entrance

            If your data is so sensitive then why is it on a public network......

        2. Anonymous Coward
          Anonymous Coward

          Re: Service Entrance on BMWs and others

          There was extensive reportage (check out The Register and nakedsecurity,sophos.com) on the stealing BMWs and other high-end wheelers by spoofing the OBD ports.

          Lovely little wrap was "Ultimately, it's worth remembering - as BMW admits - that there's "no such thing as an unstealable car"."

          Repositioning, there seems to be no such thing as an unstealable Barracude protected enterprise.

        3. Vic

          Re: Service Entrance

          > And just how else is the provider supposed to offer his support .....

          Key-based login.

          Vic.

    2. Anonymous Coward 15
      Paris Hilton

      Re: Service Entrance

      That's what she said.

  8. Pirate Dave Silver badge
    Pirate

    Wow

    Amazing that the iptables rules they use were generated in 2003... At least that's what it shows in the dump output if you follow the first link in the article.

    And more curious-er - a quick whois shows the two external IP ranges aren't even directly registered to Barracuda. One is out of Layer42's block, the other from XO.

    So after 9 years, Barracuda hasn't changed or dropped ISPs nor network ranges. Hopefully...

  9. This post has been deleted by its author

  10. Herby

    SSH scans?

    From my recent experience, there are people who do SSH scans looking for open SSH ports and throwing LOTS of account names up to see if anything sticks. I have a home network with a "public" SSH port and it gets scanned all the time (about 1/day). Yes, they fail (but fill up my logs) but they are out there.

    Be afraid, be very afraid!

    1. Khaptain Silver badge

      Re: SSH scans?

      I reckon you are lucky if you are sniffed only once a day. One off my colleagues opened up SSH on his home NAS and is being hit anywhere between 10 and 30 times per day... I didn't beleive him till he should me the logs... We verified some of the IPs, no one constant location and scattered all over the world....( Could have been spoofed IPs but no way to know)

      If SSH is available, the Password Authentication should at leat be set to off and authentication by certificate should be the only method publically available. and no ROOT on SSH.

      1. xerocred

        Re: SSH scans?

        My rackspace server has no firewall for technical reasons and got > 5000 hits/day until I put iptables to block wrong attempts for an hour. Now its only 30 a day. Root is blocked too. But rackspace has acres of ip ranges that are allowef through.

      2. Suricou Raven

        Re: SSH scans?

        Move SSH off of port 22. That way the people running scans won't find it. Any determined attacker focusing on you specifically is going to scan the whole range, but at least opportunistic script kiddies won't waste your bandwidth and clutter your logs.

        1. Justicesays

          Re: SSH scans?

          Moved my ssh to a different port, plus I put an ipchains wrapper around that port to block incoming ips for 5 mins on three consecutive failed ssh logins, which nicely honeypots anyone trying a brute force attack that finds the port in the first place. Haven't seen anything in the logs since I moved the port, so your average random attack doesn't bother with a port scan, just looking for low hanging fruit.

          You could also use a port knock sequence if you felt inclined, or only use shared keys for access.

          Leaving it unprotected on the standard port does expose you to spammy attacks,

          1. Vic

            Re: SSH scans?

            > block incoming ips for 5 mins on three consecutive failed ssh logins,

            Don't block - DROP.

            This leaves the attacker with dangling TCP connections. It consumes more of his resources and slows down his progress...

            Vic.

  11. Michael Xion
    Happy

    ...firewall off port 22 completely.

    I don't know much about networking, but I can't see that helping as the paragraph before that mentioned IP ranges with port 24.

    1. Henry 8

      Re: ...firewall off port 22 completely.

      Nope, sorry, no mention of port 24 anywhere. The paragraph you're referring to did mention some /24 subnets. 192.168.200.0/24 means the addresses from 192.168.200.0 to 192.168.200.255. Go and read about subnets and netmasks

      1. Allan George Dyer
        Boffin

        Re: ...firewall off port 22 completely.

        Henry, Michael's remark is a good example of why, although /24 is "factually correct" and "shorter than Class C", it is less informative to people who are unfamiliar with networking jargon.

        You are correct, but failing to communicate.

        1. Anonymous Coward
          Anonymous Coward

          Re: ...firewall off port 22 completely.

          "Henry, Michael's remark is a good example of why, although /24 is "factually correct" and "shorter than Class C", it is less informative to people who are unfamiliar with networking jargon."

          Seems to me that "Class C" would also come under networking jargon ...

  12. JaitcH
    WTF?

    Backdoors are OK for US products but Chinese products watch out

    Huawei and ZTE get accused of having back doors but none have been found but they get barred from contracts.

    Yet this US supplier proudly confirms back doors.

    Why does the US Congress and those Australian numb-nuts get real?

  13. Mephistro
    Black Helicopters

    One question or two...

    ...for those who say that the fact that the backdoor can only be accessed from certain IP ranges controlled by Barracuda makes the systems affected safe:

    Can't these ranges be 'spoofed'?

    Wouldn't it be trivial for intelligence agencies worldwide to use those infamous 'closed rooms' at ISPs to spoof said ranges?

    IMHO the black copters fit perfectly into this discussion.

    1. Anonymous Coward
      Anonymous Coward

      Re: One question or two...

      Without hacking an upstream router, or ARP spoofing a LAN IP, etc, it's kind of hard to spoof IPs in TCP sessions, since you don't get the return packets to answer the random number challenge. UDP on the other hand...

  14. Suricou Raven

    Why is there even a password?

    Public key auth, Barracuda. USE IT! If you must have remote access - and they sell managed solutions, so the need is understandable - you don't use passwords. You use public key. You then have exactly one online computer that holds the private key (Plus offline backup for disaster recovery) and make it act as an authenticating SSH proxy, like a MITM attacker would. That's the way to do it right.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Why is there even a password?

      I don't know what kind of asinine jerk downvotes this.

      The sad truth is that if companies do use certificates, they use self-signed certificates ... it's abysmal.

  15. Crisp

    Time to redirect Port 22 to a terminal that only plays Zork

    You are standing in a field west of a white house.

    There is a mail box here.

    >_

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to redirect Port 22 to a terminal that only plays Zork

      > n

      You are facing the north side of a white house. There is no door here,

      and all the windows are barred.

      > n$£(*$&£*($&"£*($&"(£*%&$*(!!"!"£$"$"$"$000000000000000000000000000000000000000000000000

      root@pxeserver:~#

      1. Anonymous Coward
        Anonymous Coward

        Re: Compass

        If you went north, surely you would be facing the south side of whatever you encountered?

        Unless you had traversed the North Pole in the process.

        1. Anonymous Coward 15

          Re: Compass

          Try it. You can play Zork online. (Be careful of the grues.)

  16. Anonymous Coward
    Anonymous Coward

    Open Source

    I've seen one switch that a company is trying to sell to the military where you have to log in as Linux root to make configuration changes, and make changes directly to OS files at that!

    This, and others mentioned earlier, are exactly the reason why all defense and aerospace conformance criteria state "no open source code" within their first few requirements.

    'Proper', secure network devices have closed source embedded OS's, no backdoors (ever) and most run off hardware locked read-only memory (provable Information Assurance means no on-the-fly configuration changes, or network information survives a power cycle).

    Having to gain physical access to the device PCB to add a write-enable jumper, logging in using the customers' correct secure authentication, and knowing how to navigate the strictly controlled U/I is sure to put off your average script kiddie, (unlike the average switch from the big corps. who claim to know better!)

    FWIW one of my 24x1G + 2 x10G managed switches that will turn on after a night in Siberia (-46C) without heating, or work happily in a helicopter in the Saudi Desert (+85C) without cooling, and survive ballistic shock (firing from a gun) and happily goes into space, does cost nearly as much as a small car.

  17. JimmyPage Silver badge
    Boffin

    Trusting trust

    fascinated to read this, and it goes much deeper.

    How can you know the actual CPU you are running on can be trusted ? How do you know there isn't some sneaky opcode which can be used to leverage an attack ?

    To all those smug commentards who boasted about having the source code to a system: did you get a schematic of the CPU, and logic arrays ?

    1. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like