updated 09:44 pm EST, Thu January 24, 2013
Flaw allows remote access to MySQL database in equipment
According to Austrian security researchers SEC Consult Vulnerability Lab, an assortment of firewall, spam filtering, and VPN hardware made by Barracuda contain undocumented accounts that allow hackers to remotely log into the devices and access information. The SSH backdoor is hardcoded into the products, and can be used to gain shell access to the equipment, according to the published advisory.
The researchers claim that the security flaw "is entirely undocumented and can only be disabled via a hidden 'expert options' dialog." A very weak password which Electronista found with a Google search is used to secure the device in conjunction with a generic user name. The combination allows login and full remote access to the device's MySQL database. The exploits are accessible by a small range of IP addresses -- many of which don't belong to Barracuda but can be spoofed with the right software attack in any event. The exploit has possibly existed since 2003.
On Wednesday, Barracuda issued its own "medium"-level security advisory, saying that "research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log in to a non-privileged account on the appliance from a small set of IP addresses" They called the vulnerabilities the result of "default firewall configuration and default user accounts on the unit" and have issued firmware updates to patch the issue.