Printed from http://www.electronista.com

Exploit found in some Barracuda firewalls, VPN hardware

updated 09:44 pm EST, Thu January 24, 2013

Flaw allows remote access to MySQL database in equipment

According to Austrian security researchers SEC Consult Vulnerability Lab, an assortment of firewall, spam filtering, and VPN hardware made by Barracuda contain undocumented accounts that allow hackers to remotely log into the devices and access information. The SSH backdoor is hardcoded into the products, and can be used to gain shell access to the equipment, according to the published advisory.

The researchers claim that the security flaw "is entirely undocumented and can only be disabled via a hidden 'expert options' dialog." A very weak password which Electronista found with a Google search is used to secure the device in conjunction with a generic user name. The combination allows login and full remote access to the device's MySQL database. The exploits are accessible by a small range of IP addresses -- many of which don't belong to Barracuda but can be spoofed with the right software attack in any event. The exploit has possibly existed since 2003.

On Wednesday, Barracuda issued its own "medium"-level security advisory, saying that "research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log in to a non-privileged account on the appliance from a small set of IP addresses" They called the vulnerabilities the result of "default firewall configuration and default user accounts on the unit" and have issued firmware updates to patch the issue.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...

Sponsor

toggle

Most Commented

 
toggle

Popular News