A researcher has found that several security appliances from Barracuda Networks come with multiple backdoor accounts, allowing for local and remote access to the devices.
Stefan Viehböck of Austrian security research firm SEC Consult Unternehmensberatung GmbH discovered the security flaw.
The firm called it "critical" as the accounts are undocumented and can only be disabled through a hidden expert options dialog with the help of vendor support staff.
Furthermore, a secure shell (SSH) daemon runs on the appliances and allows access from servers operated by Barracuda Networks and other unaffiliated entities, Viehböck found.
The following Barracuda Networks products are said to be vulnerable:
- Spam and Virus Firewall
- Web Filter
- Message Archiver
- Web Application Firewall
- Link Balancer
- Load Balancer
- SSL VPN
Barracuda Networks has acknowledged the flaw and issued a security alert, advising customers to update their Security Definitions to version 2.0.5 immediately.
The company said that "while this update drastically minimises potential attack vectors, our support department is available to answer any questions on fully disabling this functionality if support access is not desired."
According to Viehböck, updating the security definitions does not remove the remote access via SSH vulnerability.
Viehböck said a possible workaround was firewalling the appliances to block incoming traffic on the local network as well as via the Internet destined for TCP port 22 which is used by SSH.
"In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them," Viehböck concludes.