Published:
04 August 2006
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0551 -- [Appliance]
Multiple vulnerabilities in Barracuda Spam Firewall
4 August 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Barracuda Spam Firewall 3.3.01.001 to 3.3.03.053
Impact: Execute Arbitrary Code/Commands
Read-only Data Access
Access Privileged Data
Access: Remote/Unauthenticated
Comment: The following vulnerability advisories have been posted to the
BugTraq security mailing list. Barracuda Networks have neither
confirmed or denied these vulnerabilities. Additionally the
subsequent follow-up post:
http://www.securityfocus.com/archive/1/442132/30/0/threaded
Indicates this arbitrary file disclosure vulnerability may also be
exploited to execute arbitrary code.
- --------------------------BEGIN INCLUDED TEXT--------------------
Title: Barracuda Hardcoded Password Vulnerability
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair (gssincla@nnlsoftware.com)
Discovered on: 28 May 2006
Overview:
Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to
information disclosure which is made possible by a default guest password
Details:
The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have a
hardcoded password for the "guest" account in the Login.pm script. This
script is called to validate any user who attempts to login to the
barracuda's web interface (typically at http://<deviceIP>:8080 or
https://<deviceIP>). While the guest account has limited access, the
following information can be obtained:
* system configuration including IP accesses, admin IP ACLs
* email message logs (but not the content of the messages)
* version information of both spam/antivirus definitions and system
firmware version
Used in conjunction with the vulnerability "Barracuda Arbitrary File
Disclosure" (NNL-20060801-02), the integrity of the system can be
compromised. An attacker can use both vulnerabilities to download both
confidential emails as well as the configuration information (including the
admin password).
Additionally, while some accounts such as "admin" are bound by user
definable IP ACLs, the guest account is not. This means that sensitive
information can be disclosed to ANY IP address regardless of the user
defined network restrictions.
Proof of Concept:
Enter the username "guest" into the login page of any open barracuda and
the password "bnadmin99"
Recommendations:
* Never allow your barracuda web interface to be accessible from untrusted
networks (especially the Internet)
* Upgrade to version 3.3.0.54 or later
Vendor Contact:
29 May 2006 - Initial Vendor Contact
24 June 2006 - Vendor replies with prospect of fix
17 July 2006 - NNL request status update, no reply
01 Aug 2006 - NNL releases vuln report, notifies vendor of release
Title: Barracuda Arbitrary File Disclosure
Severity: High (Sensitive Information Disclosure)
Date: 01 August 2006
Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
Discovered by: Greg Sinclair (gssincla@nnlsoftware.com)
Discovered on: 29 May 2006
Overview:
Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to
arbitrary file disclosure due to improper parameter sanitation.
Details:
The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 are
vulnerable to arbitrary file disclosure via the preview_email.cgi script.
The /cgi-bin/preview_email.cgi script is designed to retrieve a message from
the local message database on the Barracuda Spam Firewall. However, the
"file" parameter which is passed via GET is not properly sanitized to
restrict the file retrieval to the message database directories. The script
looks for "/mail/mlog" in the file parameter but does not take into account
directory transversal arguments such as ".." The result is that any file
that is accessible to the web server user is accessible from the web
interface. The script does require a valid user to be logged in to perform
this attack, however using the "Barracuda Hardcoded Password Vulnerability"
(NNL-20060801-01) guest password vulnerability this restriction can easily
be overcome.
This particular problem is amplified by the fact that it is possible to
download the full configuration file for the barracuda. The configuration
file is periodically backed-up into the /tmp directory as
"/tmp/backup/periodic_config.txt.tmp"
Message confidentiality is compromised by the fact that an attacker who is
able to view the message log screen (which can be done via the guest
password vulnerability) can easily view any message on the system. The
message logs are stored as /mail/mlog/X/Y/email_address/msgID where X is the
first character of email_address, Y is the second character of email_address,
email_address is the recipient's email address and msgID is the message ID
assigned to the message in question. So for example if jon@smith.com received
a message with messageID 1234, any user could view the message by entering
/mail/mlog/j/o/jon@smith.com/1234
Proof of Concept:
https://<deviceIP>/cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp
Recommendations:
* Never allow your barracuda web interface to be accessible from untrusted
networks (especially the Internet)
* Upgrade to version 3.3.0.54 or later
Vendor Contact:
30 May 2006 - Initial Vendor Contact
24 June 2006 - Vendor replies with prospect of fix
17 July 2006 - NNL request status update, no reply
01 Aug 2006 - NNL releases vuln report, notifies vendor of release
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRNLozCh9+71yA2DNAQKj8QP/WbGJegg3gl9YN09TztlakqhwULqqcNov
1t0Cqs+y4JP09hN5iShyN47g/qHYTE6/bQ5/93R80g9AAzWQ0I4PSn/ZITLCHa30
wR/VyXvhVvaFZ6I0sQFPaU5rXSWHv7v3pYFqsE1v3akR7VMU3wyNVwXA3Q/IzDcH
WZy+S9P2ef0=
=3tHy
-----END PGP SIGNATURE-----