SEC Consult Vulnerability Lab Security Advisory: “Critical SSH Backdoor in multiple Barracuda Networks Products”

The full security advisory is here:

Some industry reaction:

Information Week:

According to SEC Consult, however, the security definitions update still leaves three accounts on all devices — cluster, remote, root — which Barracuda told it are "essential for customer support and will not be removed." But SEC Consult warned that the password for the "root" account can be cracked, if it isn't sufficiently strong, and noted that although only Barracuda possesses the private key for the passwords for the "cluster" and "remote" accounts, this is a security problem. "This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks," said SEC Consult. "In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them." 

Security Week repeats mostly the same news.

The Register is characteristically sharp-tounged:

Backdoor root login found in Barracuda gear – and Barracuda is OK with this; Hidden accounts 'needed for remote tech support'

Remote tech support is hard work, as is systems security.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s