Jump to content


Photo

Barracuda Link Balancer and the OpenSSL Heartbleed vulnerability

heartbleed

  • Please log in to reply
No replies to this topic

#1 Neeraj

Neeraj
  • Product Managers
  • 72 posts

Posted 15 April 2014 - 11:17 AM

Barracuda Link Balancer makes use of the popular OpenSSL cryptographic software library for the management UI (only when using HTTPS). The versions of OpenSSL shipped with Barracuda Link Balancer in 2.5.x release may be vulnerable to the above mentioned security advisory (see below). 

 

The certificate information for the management UI may have leaked due to this vulnerability. The VPN functionality of the product is not affected by this vulnerability. 

 

The affected firmware versions are 2.5 - 2.5.027. If you are on a firmware version that precedes this range, you are not affected. 
 
In case you have not turned off automatic Security Definition Updates on the ADVANCED::Energize Updates page, we have released a new security definition (secdef) version 2.1.12177, that patches this vulnerability. You can confirm if the secdef has already applied on the Energize Updates page. You would also have seen an email or notice to reboot the unit. Post the reboot, your patching process is complete. However, you still need to replace your certificates to rule out any prior data leakage, see steps 3 onwards below.

 

  1. Ensure that all your Barracuda Link Balancer units that use HTTPS for the management UI are updated with the secdef. This happens automatically unless you have changed the default settings. 
  2. The secdef would not apply automatically, if Automatic Updates under Security Definition Updates was set to Off. In this case you can chose to apply the secdef manually. 
  3. After applying the secdef, on the ADVANCED::Secure Administration page in the section SSL Certificate Configuration, do not use the “Default ( Barracuda Networks) “ SSL certificate any longer (if you were indeed using it).  Instead, create a new certificate for Secure Administration, refer to the online help for details
  4. If you created a Private (Self-Signed) or Trusted (Signed by a Trusted CA) certificate for the management UI, make sure to also replace these on ADVANCED::Secure Administration page after the upgrade.
  5. Ensure that all admin password(s) are renewed.