Given the angst, conspiracy theories, and tinfoil hats around any network/security products built in China, it’s curious to see Krebs’ story on the backdoors in Barracuda products found by Stefan Viehboeck of SEC Consult Vulnerability Lab.
Viehboeck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.
But having that back door creates exposures that most security conscious folks find unacceptable. As Viehboeck says: “In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them.”
Clearly you can draw the conclusion that this is bad, especially because Barracuda is playing the ostrich game a bit, calling these issues just ‘medium’ severity. But given that Barracuda caters to the small and mid-market, how many of these boxes are actually installed in secure environments? And how many of these unsophisticated customers will apply the fixes to eliminate the back doors? Right, not too many.
We can’t let Barracuda off the hook here just because the back doors are there to facilitate support access in the event the box needs to be remotely fixed. Users lose their credentials and lock themselves out of their boxes all the time. They misconfigure stuff and a support rep would need deep (probably root) access to fix things. We get that. But we aren’t in the excuses business, and neither are Barracuda’s customers.
Barracuda just can’t rely on a locked-down IP address range to provide security. That’s too easy to spoof and those addresses may change over time. Obscurity isn’t the answer. Moreover, customers need to have the option to shut down the back doors, especially if they install in one of these mythical secure environments.
There must be a middle ground between installing an undocumented back door and not being able to support the device remotely. Maybe they ship the box without the default accounts and lock down the root account. Maybe they have a script that adds the support accounts to the box when a special “Activate Remote Support” setting is selected within the interface. They could use some kind of two-factor authentication to ensure Barracuda support is involved when activating the script. Then when the box is repaired, the user unchecks the box and another script cleans out the user accounts and locks down the box.
Is that a perfect answer? Of course not – I’m just throwing crap against the wall. There must be a better way to ensure thousands of customers don’t have to ship their boxes back to Barracuda for simple fixes that can be done remotely by support. But having an undocumented back door isn’t it.
Photo credit: “Vancouver, BC, Canada – Robson Street – Hippies Please Use Back Door (Antique Sign)” originally uploaded by Adam Jones