Barracuda Networks has been shipping firewalls, spam filters and VPN devices with undocumented back-door accounts. Allegedly, the back-door accounts include a password-free account with write access to the MySQL database that provides authentication information.
The only access control to these accounts is that they try to limit access to ssh connections from Barracuda owned IP addresses. Apparently they failed in this endeavor since other, unrelated, companies also have addresses in the permitted address blocks.
http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gear/#more-18612
How on earth can a security device vendor ship a device with an open back-door account in today's environment?
Let me repeat that question:
How, in today's security environment, when truly serious and damaging attacks are the order of the day, could any provider of security devices knowingly ship security devices with open back-door accounts?
Back in the 90's we all learned not to do this thanks to the Sendmail WIZ account. Just to provide context, those were the days when you could still find Unix systems with guest accounts ... and yet we still understood that back-door accounts were a bad idea.
This is exactly the sort of thing we accuse the Chinese of doing as we drag them to congressional hearings and reject their equipment; and it turns out that a California based company has been doing it in a most egregious way for years. I'd be willing to bet the government, including the DoD, has lots of this equipment.
If I owned any Barracuda gear - today's project would be to confirm if this report is really true (it's so incredible, I still have trouble believing it.). If it did turn out to be true, I would immediately begin the process of removing all Barracuda equipment from my site.
Why such a dramatic response? It's not so much that this is a big gaping security hole, everybody has bugs. But any company that knowingly permits this sort of thing to ship, in 2013, must have a corporate culture that's totally devoid of any reasonable concern about protecting their customer. As they say, there's no fixing stupid.
This, BTW, is a terrific example of why Defense in Depth is so critical. The only defense against this vulnerability is to block all incoming ssh connections. Of course, for some unlucky individuals, the natural way to block these connections would be via their Barracuda firewall (!)
No comments:
Post a Comment