Barricade Your Barracuda | TechSNAP 94
Posted on: January 24, 2013
del.icio.us
blinklist
digg
Facebook
Furl
ma.gnolia
Newsvine
Pownce
reddit
StumbleUpon
Technorati
Twitter
If you have a Barracuda device, it’s time to put it behind a real firewall. We’ll blow your minds with the horrible state of security on many popular Barracuda products.
Plus why a long password is not necessarily mean a more secure password, a big batch of your questions, and a great roundup!
All that and a lot more, on this week’s TechSNAP!
Thanks to:
Use our code tech295 to get a .COM for $2.95.
Something else in mind? Use go20off5 to save 20% on your entire order!
Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Support the Show:
|
Show Notes:
Get TechSNAP on your Android:
Browser Affiliate Extension:
- Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
- Vulnerable products include:
- Barracuda Spam and Virus Firewall
- Barracuda Web Filter
- Barracuda Message Archiver
- Barracuda Web Application Firewall
- Barracuda Link Balancer
- Barracuda Load Balancer
- Barracuda SSL VPN
- The issue was fixed in Security Definitions 2.0.5, it is highly recommended that all devices be upgraded
- These devices contain undocumented backdoor accounts with static passwords including:
- root*
- build* (uid 0)
- shutdown
- product
- ca
- support
- websupport
- qa_test*
- Only Items marked with a * were not able to be cracked with a short wordlist
- These users and their easily cracked passwords can be used to login at the terminal, the user ‘product’ is given a full bash shell
- Some additional users were also set up no password but with authorized ssh keys to allow remote access:
- remote (uid 0)
- cluster
- Both of these users also have full bash shells
- Once a user has a shell, they are able to access the local MySQL database (root@localhost with no password) and can add new users with administrative privileges
- A shell also could allow the user to enable debugging that could allow them to compromise the device
- The Barracuda devices use iptables to restrict access via SSH, however in addition to allowing SSH via the internal network, they also allow incoming SSH connections from two remote /24s on the internet
- Timestamps on the iptables rules file suggests they ips have been allowed in to every device since 2003
- These ranges belong to two different ISPs, Layer42.net which appears to host the colocation for Barracuda networks, and XO.net, which does not appear to be used by Barracuda Networks (it may have been in the past) and the IPs appear to belong to a number of unrelated parties, including a small IT firm that offers remote management, some voip servers, and a number of poorly maintainted websites (some not updated since 2007)
- If any of these sites or servers were compromised, they could be used to gain access to all public facing Barracuda Networks devices
- Most of these devices are public facing, because they are firewalls, web filter and spam filters
- A user may be able to spoof their ip via the local network to appear to be coming from one of the two internet ranges that have been whitelisted
- As part of the 2.0.5 update, Barracuda has disabled the product user, and all other users except for ‘cluster’ (ssh key only), ‘remote’ (uid 0, ssh key only, key is possessed by Barracuda Networks) and ‘root’ (password, likely crackable)
- According to Barracuda Networks, these accounts are critical for customer support and will not be removed
- Barracuda has done nothing to address the statically defined whitelisted ranges of IPs
- Because of the risk, it is recommended to place the Barracuda Networks devices behind a proper firewall
- Customers can contact Barracuda Networks Support for instructions on enabling ‘expert mode’ in order to disable the SSH daemon
- Barracuda Networks – Tech Alerts
- Unauthenticated users are able to set arbitrary Java system properties to arbitrary values, allowing an attacker to perform a Denial of Service attack against the device, or allowing them to break the applications security mechanisms
- By using the above vulnerability, an attacker is able to access the API functionality of the appliance, and is then able to download the device configuration, dump the SQL database (including passwords), reset the passwords of all superusers, disclose local files on the appliance (possibly secret keys), and restart or shutdown the device entirely.
- Barracuda Networks has issued ‘Security Definition 2.0.5’ that resolves these issues
- A researcher from Carnagie Mellon University has developed a new password cracking tool that considers grammatical correctness to reduce the search space
- Based on a survey of 1434 user selected passwords of 16 characters or more, 18% of users voluntarily chose passwords that were grammatically correct (such as “abiggerbetterpassword” or “longestpasswordever”)
- The survey also found other structions, including postal addresses, URLs, and email addresses
- The password search space is significantly reduced when you move away from considering random combinations of characters, and instead consider dictionary words, and reduced further when you consider words only in combinations that are grammatically correct
- If a password consists of 3 words, applying the rules of grammar reduces the search space to 96.90%. However, if the password consists of 5 words, the search space is reduced to 46.95%, and 8 words lowers the search space to 0.99% of its original size
- Consider this when you are selecting passwords XKCD style
- Full Paper
- Removable ZIL
- Removing a ZIL has only been available in ZFS Zpool v19+, which is only FreeBSD 8.3 and 9.0, FreeNAS before November 2012 does not support ZIL removal
-
How to Secure SSH with Google Authenticator’s Two-Factor Authentication – Submited by techsnapp
- FOLLOWUP: The UK Information Commissioner’s Office has fined Sony 250,000 GBP (~$400,000) for the PlayStation Network breach. Finds that the attack could have been prevented if the software had been up to date and if proper password hashing had been implemented
- Arch gnu/linux on BSD kernel – just for Allan
- Polish researchers find 2 MORE sandbox bypass vulnerabilities in the lastest version of Java
- Cracking tool milks weakness to reveal some Mega passwords (Updated)
- Google’s VP of Security to publish paper on ways to replace passwords
- Student expelled for hacking Quebec college system gets job offers
- Traffic and BGP analysis suggests that Cuba has activated an undersea fibre optical cable connecting it to Venezuela
- Attention shoppers: Retailers can now track you across the mall
- SEA-ME-WE 3 – a submarine fibre optic link between Australia and Singapore was damaged last week, not expected to be repaired until mid-February, traffic routed via other cables