Date: 31 December 2008
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0270 AUSCERT Advisory
[Appliance]
New Barracuda firmware releases correct multiple vulnerabilities
31 December 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Barracuda Message Archiver
Barracuda Spam Firewall Release
Barracuda Web Filter Release
Barracuda IM Firewall Release
Barracuda Load Balancer Release
Operating System: Network Appliance
Impact: Execute Arbitrary Code/Commands
Cross-site Scripting
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1094 CVE-2008-0971
Member content until: Wednesday, January 28 2009
OVERVIEW:
Multiple vulnerabilities have been reported in various Barracuda
products.
IMPACT:
The first vulnerbility can result in cross-site scripting (XSS)
and affects the following products [1]:
Barracuda Message Archiver Release 1.1.0.010 (2008-02-15) and earlier
Barracuda Spam Firewall Release 3.5.11.020 (2008-02-26) and earlier
Barracuda Web Filter Release 3.3.0.038 (2008-02-19) and earlier
Barracuda IM Firewall Release 3.0.01.008 (2008-02-05) and earlier
Barracuda Load Balancer Release 2.2.006 (2008-09-05) and earlier
The second vulnerability can result in sql injection attacks and
only affects Barracuda Spam Firewall Release 3.5.11.020 (2008-02-26)
and earlier. [2]
MITIGATION:
The first vulnerability has been corrected in the release of the
following software updates:
Barracuda Message Archiver Release 1.2.1.002 (2008-07-22)
Barracuda Spam Firewall Release 3.5.12.007 (2008-10-24)
Barracuda Web Filter Release 3.3.0.052 (2008-08-04)
Barracuda IM Firewall Release 3.1.01.017 (2008-07-02)
Barracuda Load Balancer Release 2.3.024 (2008-10-20)
The second vulnerability has been corrected in the release of the
following software update:
Barracuda Spam Firewall Release 3.5.12.007 (2008-10-24)
REFERENCES:
[1] Resolved input field validation and HTML encoding issues in
select Barracuda Networks products
http://www.barracudanetworks.com/ns/support/tech_alert.php
[2] Barracuda Spam Firewall resolved potential issue associated with
the Users -> Accounts View page
http://www.barracudanetworks.com/ns/support/tech_alert.php
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSVr5Jih9+71yA2DNAQIcYgP+Kr0NzAhNzzmahf9FqFRmTdaH/sYMpbbe
UCtG6+jgU15Nr0Cos8O49w53LK6ZClo/SGznybydP1H2oXhN/nQcXa/gHiD9XBff
7cucyvya7qOQJmxeSMCu7A1qd9cOVtCqTBiEpAUkOmCSOA6QIdXmjv3/pgC8b63x
kO6WnqK30Ng=
=KEWM
-----END PGP SIGNATURE-----
|