Jump to content


Photo

Security Advisories

Security Vulnerability; Advisory; Exploit; CVE;

  • This topic is locked This topic is locked
23 replies to this topic

#1 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 20 May 2014 - 06:07 AM

This section of the forum is meant to inform you about possible security vulnerabilites identified in currently supported Barracuda NextGen Firewall products and recommended actions. This section also provides information on vulnerabilites that DO NOT affect the Barracuda NextGen Firewall.


Senior Product Manager

#2 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 20 May 2014 - 06:58 AM

Security Bypass Issue in OpenSSH prior to Version 6.6 / CVE-2014-2532

 

Summary: sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. For detailed information please visit http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532

 

Scope: A recently carried out Qualys PCI DSS scan has shown that the Barracuda NG Firewall is in theory vulnerable by the mentioned exploit as firmware versions 5.2.x and 5.4.x are using OpenSSH version 5.6.1. The external Qualys scan raised >>QID 42428 - OpenSSH "child_set_env()" Security Bypass Issue - CVE-2014-2532<< as a potential [1] security threat classified with a severity of medium. In order to exploit this vulnerability a series of preconditions must be met:

  1. the ssh-daemon must be configured to accept client environment variables
  2. configuration is done in sshd_config, 'AcceptEnv' directive
  3. the sshd default behavior is NOT to accept client environment variables if the 'AcceptEnv' directive is missing
  4. we do not set nor allow to configure the 'AcceptEnv' directive
  5. an attacker must be able to successfully authenticate

Investigations in our lab showed that Qualys reports QID 42428 solely based on the SSH version number announced as part of the SSH Banner for new client connections. This is also why QID 42428 is flagged as a *potential* vulnerability (yellow indicator bars in the report) instead of a *verified* vulnerability as due to [1] the accuracy of this issue is limited.

 

Note: Qualys states that the check for CVE-2014-2532 was added to PCIScan on 04/01/2014 and the CVE was assigned 03/17/2014 which is why it wasn't raised in earlier scans.

 

Products Affected: -

 

Mitigations and Workarounds: The Barracuda NG Firewall is not affected by this particular vulnerability as it is actually required to have 'AcceptEnv' configured in order to exploit CVE-2014-2532 and we do not provide any means of configuring this directive for SSH/SSH-Proxy.


Senior Product Manager

#3 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 23 May 2014 - 05:49 AM

Security Vulnerability in web-based firewall authentication Service

 

Summary: The web-based firewall authentication service fwauthd contains a vulnerability that allows users with access to fwauthd to remove directories from the file system.

 

Risk Rating: High - This vulnerability can result in an inaccessible infrastructure behind the firewall device as well as all active services running on the firewall itself.

 

Affected Products: Barracuda NG Firewall

 

Mitigations and Workarounds: Install the respective Hotfix which are available from the download section.







 


Senior Product Manager

#4 Bernhard Patsch

Bernhard Patsch
  • Barracuda Team Members
  • 110 posts

Posted 06 June 2014 - 11:44 AM

SSL/TLS Man-In-The-Middle Vulnerability (CVE-2014-0224)

 

Some versions of the Barracuda NG Firewall and Components are affected by this vulnerability. Hotfixes for the affected modules and versions are now available are announced in the community forum firmware threads. For links see below. We strongly advise to apply these hotfixes.

 

The affected versions/components are listed below:

 

5.2.x Affected Modules

  • SSL VPN
  • Authentication Module

 

5.4.x Affected Modules

  • HTTP Proxy Squid / SSL BUMP (5.4.3 EA/GA only)
  • SSL Interception Module
  • SSL VPN
  • Authentication Module

 

 

5.4.x & 5.2.x Not Affected Modules

We have investigated all other components carefully. Some other components use affected OpenSSL versions, but they are not vulnerable. Specifically these are:

  • VPN Server
  • NAC and VPN Clients
  • SSH Server/Client
  • WIFI Service
  • NG Admin
  • DC Client
  • TS Agent
  • Firewall Authentication Client

 

 

Note: Barracuda NG Firewall is not affected by the following other OpenSSL vulnerabilities:

  • DTLS recursion flaw (CVE-2014-0221)
  • DTLS invalid fragment vulnerability (CVE-2014-0195)
  • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
  • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
  • Anonymous ECDH denial of service (CVE-2014-3470)
  • FLUSH+RELOAD Cache Side-channel Attack (CVE-2014-0076)

 

Hotfix information and download for firmware 5.2.10: https://community.ba...ge-5#entry65636

Hotfix information and download for firmware 5.4.2: https://community.ba...xes/#entry65638

Hotfix information and download for firmware 5.4.3: https://community.ba...xes/#entry65639



#5 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 30 September 2014 - 06:42 AM

Shellshock Vulnerabilities CVE-2014-6271, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187

 

 

On the morning of September 24th, 2014 we were notified of vulnerabilities in the widely used GNU bash utility affecting a broad range of systems across the internet.

 

The GNU bash version shipped with Barracuda NG Firewall is affected by these vulnerabilities and therefore we strongly recommend to update the firmware with the published hotfixes for 5.4.x and 5.2.x which cover vulnerabilitieshttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187.

 

In addition, we have released an emergency IPS signature update (database version 4.460) in order to address these vulnerabilities. Customers are advised to verify that they are running the latest IPS signature version on their systems.


Senior Product Manager

#6 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 13 November 2014 - 08:48 AM

SSH Security Vulnerability - Update 13 Nov 2014 - 14:34 pm

 

We were recently notified of a bug in the installation process of NG Firewall 5.4.x which could make the SSH management interface accessible on external interfaces. Subsequently an external attacker could use a brute-force attack to gain administrative access to the shell.

 

Timing issues may lead to a rare exception when the SSH daemon is started before the configuration is available. In that case the SSH daemon will be accessible on all IP addresses. This only happens after a USB pen-drive installation with a PAR file was performed. The problem disappears after a reboot of the box or after certain configuration changes.

 

Your system may be affected if the following conditions are met:

  • The Barracuda NG Firewall is running firmware 5.4.1, 5.4.2, 5.4.3 or 5.4.4 (NGAdmin -> Status Page -> Firmware Version)
  • An USB installation with an existing PAR configuration file was performed
  • The box was not manually rebooted afterwards

How to check if you are affected:

  • SSH in to the NG firewall
  • execute the following command:  netstat -anpt | grep ssh | grep -q "0.0.0.0:22"  && echo -e "\nWarning: SSH is available on all interfaces\n"
  • Your system is affected if it gives the output “Warning: SSH is available on all Interfaces”

Mitigations and Workarounds:

  • Install Hotfix 652 which is available from the download section. For more Information please visit https://community.ba...ge-5#entry68107
  • or restart ssh daemon after you reinstalled a box and restored the configuration from a PAR file. This can be done by executing the following command: /etc/init.d/sshd restart

Senior Product Manager

#7 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 23 December 2014 - 09:37 AM

NTPd Security Vulnerabilities CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296
 
Summary: A vulnerability in the ntpd can allow remote attackers to cause distributed denial of service attack (DDoS) via forged requests.
 
Risk Rating: High
 
Affected Products: Barracuda NG Firewall
 
Mitigations and Workarounds: Install the respective Hotfix available from the download section.

Senior Product Manager

#8 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 28 January 2015 - 04:42 AM

glibc (GHOST) Security Vulnerability CVE-2015-0235

 

Summary:The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
 
Risk Rating: HIGH
 
Affected Products: Barracuda NG Firewall
 
Mitigations and Workarounds: We are currently investigating the scope of this vulnerability and are working on respective Hotfixes which will be available shortly.
 
Update 30th Jan 2015. Hotfixes 665, 664 and 663 (for 6.0.0, 5.4.5 and 5.2.11) are now available for download.

Senior Product Manager

#9 Marco Miska

Marco Miska
  • Barracuda Team Members
  • 61 posts
  • LocationInnsbruck

Posted 28 May 2015 - 06:30 AM

logjam Vulnerability CVE-2015-4000

 

Dear all,

our Engineering-Team has finished the “logjam evaluation” of the NG-Firewall.

There is one affected service, which is the NG SSL-VPN.

All the other components including management interfaces, HTTP/S  Proxy, SSL-Interception, etc. are not affected.

 

Risk Rating: Medium

 
Affected Products: Barracuda NG Firewall
 
Mitigations and Workarounds:
Changing the allowed SSL cipher list to:
RSA:EDH:!EXP:!NULL:+HIGH:-MEDIUM:-LOW:-SSLv2:-IDEA-CBC-SHA
 
Please take a look at the following article for configuring the ciphers:
 

 

In the upcoming release a fix will be included.

For any further questions, please get in touch with our Technical Support.



#10 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 10 July 2015 - 02:09 AM

OpenSSL Vulnerability - Alternative chains certificate forgery (CVE-2015-1793)

 

Summary: During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.

 

Since the Barracuda NG Firewall does not use affected versions of OpenSSL, the Barracuda NG Firewall is NOT affected by this particular vulnerability.

 

Products Affected: -

 

Mitigations and Workarounds: -


Senior Product Manager

#11 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 03 September 2015 - 05:55 AM

BIND DNS Vulnerability - Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c (CVE-2015-5722)

 

Summary: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key. Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service. Servers which are affected may terminate with an assertion failure, causing denial of service to all clients.

 

Since the Barracuda NG Firewall does not support configuring trust-anchor definitions for domains, and hence dnssec cannot be used.

 

Products Affected: -

 

Mitigations and Workarounds: -


Senior Product Manager

#12 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 03 September 2015 - 05:58 AM

BIND DNS Vulnerability - An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c (CVE-2015-5986)

 

Summary: An incorrect boundary check in openpgpkey_61.c can cause named to terminate due to a REQUIRE assertion failure. This defect can be deliberately exploited by an attacker who can provide a maliciously constructed response in answer to a query. A server which encounters this error will terminate due to a REQUIRE assertion failure, resulting in denial of service to clients. Recursive servers are at greatest risk from this defect but some circumstances may exist in which the attack can be successfully exploited against an authoritative server. Servers should be upgraded to a fixed version.

 

Since the Barracuda NG Firewall does not use affected versions of BIND the Barracuda NG Firewall is NOT affected by this particular vulnerability.

 

Products Affected: -

 

Mitigations and Workarounds: -


Senior Product Manager

#13 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 19 January 2016 - 11:18 AM

FireStorm Vulnerability
 
Summary: Researchers have discovered a vulnerability in certain next generation firewalls that are designed to permit full TCP handshake with any destination thus bypassing the firewall rules. By adding data in TCP handshake packets it was possible to forge messages and tunnel them out through the TCP handshake process.
 
Products Affected: The Barracuda NextGen Firewalls are not affected since the stateful access rule set checks if a TCP session setup is allowed or not way before even a SYN is allowed to go through the firewall. 
 
Mitigations and Workarounds: -

Senior Product Manager

#14 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 20 January 2016 - 12:36 PM

Linux Kernel Zero Day Vulnerability (CVE-2016-0728)
 
Summary: A critical local privilege escalation vulnerability caused by a reference leak in the keyring facility of Linux kernel versions 3.8 and higher was discovered.
 
Risk: Critical
 
Products Affected: Since the vulnerability affects kernel versions 3.8 and higher the Barracuda NextGen Firewall products are NOT affected.
 
Mitigations and Workarounds: -

Senior Product Manager

#15 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 22 January 2016 - 11:53 AM

BIND DNS Vulnerabilities - CVE-2015-8704 and CVE-2015-8705
 
Summary CVE-2015-8704: Specific APL data could trigger an INSIST in apl_42.c
Summary CVE-2015-8705: Problems converting OPT resource records and ECS options to text format can cause BIND to terminate.
 
Risk Rating: Medium
 
Affected Products: Barracuda NG Firewall and Barracuda NG Control Center
 
Mitigations and Workarounds: Install the respective Hotfix available from the download section:
 

Senior Product Manager

#16 Frank Dauer

Frank Dauer
  • Barracuda Team Members
  • 24 posts
  • LocationInnsbruck

Posted 18 February 2016 - 12:44 PM

GNU C Library vulnerability - CVE-2015-7547
 

 

Summary: A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries.
 

Risk Rating: Critical
 

Affected Products: Barracuda NG Firewall and Barracuda NG Control Center

Mitigation: Install the respective Hotfix available from the download section:

Firmware 6.2.0 and 6.2.1:

glibc-748-6.2.1-101598.tgz

 

Firmware 6.1.0 - 6.1.3:

glibc-749-6.1.3-101599.tgz

 

Firmware 6.0.0 - 6.0.4:

glibc-750-6.0.4-101602.tgz

 

Firmware 5.4.1 - 5.4.7:

glibc-751-5.4.7-101601.tgz

 

 

 

 

UPDATE 02/23/2016

 

Dear all,

the issue has been resolved and the hotfixes are available again.
 

 

 

UPDATE 02/22/2016

 

Dear all,

unfortunately we found an issue with the GNU C Library hotfixes where in some cases DNS resolving is not working as expected. Therefore we removed the GNU C Library hotfix download links for the time being. Our engineering team is working on new hotfixes. We are very sorry for any caused circumstances. 



#17 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 24 February 2016 - 09:21 AM

GNU C Library vulnerability - CVE-2015-7547

 

UPDATE 02/23/2016

 

Dear all,

the issue has been resolved and the hotfixes are available again.


Senior Product Manager

#18 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 22 November 2016 - 05:39 AM

BlackNurse DDoS Attack
 
Summary: Danish Researchers have discovered a new form of ICMP flood attack called BlackNurse. Traditionally a ICMP flood attack sends a large number of ICMP request to the target destination, ultimately causing a Denial-of-Service in case no meaningful countermeasures are in place, thus disrupting operations of the targeted organization. BlackNurse in contrast is a low-volume DDoS attack that leverages ICMP packets Type 3 (Destination Unreachable), Code 3 (Port Unreachable) that may cause high CPU loads in some network equipment.
 
For further details and the full report please refer to http://blacknurse.dk/.
 
Impact and Products Affected: The Barracuda NextGen Firewalls are in general not vulnerable to the BlackNurse DDoS attack.
 
Mitigations and Workarounds: In order to prevent DoS flooding in general, it is recommended to follow our “Best Practice – How to Protect Against DoS/DDoS Attacks”.

Senior Product Manager

#19 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 23 November 2016 - 06:59 AM

DNS Security Vulnerability (CVE-2016-8864)
 
Summary: A problem handling responses containing a DNAME answer can lead to an assertion failure.
 
Risk Rating: High
 
Affected Products: Barracuda NextGen Firewall F-Series
 
Mitigations and Workarounds: Install the respective Hotfix.
 

Senior Product Manager

#20 Markus Lang

Markus Lang
  • Moderators
  • 382 posts

Posted 01 February 2017 - 10:19 AM

Important Advisory: Issue caused by Pattern Update

 

Summary: On Jan 27th, 3 pm UTC new application definitions were released for the Barracuda NextGen Firewall F-Series. The included Content-Pattern file had corrupted data in it. Due to this defect, the parsing of the definitions failed on the firewall, causing some processes to loop and as a result effecting a high CPU load. The effect was more pronounced on smaller appliance models and may not have been noticed on larger appliance with many CPU cores.

The following processes have been affected:

  • trans7
  • acpffwdrule
  • appidctrl

The Barracuda Network Security Team quickly withdrew the corrupted definitions at 5:45 pm UTC, but the update pattern delivery process does not (for security reasons) allow for the delivery of executables, nor can an arbitrary executable (or script) be invoked throughout pattern update processing. Therefore, Barracuda had no possibility to fix the issue from remote by restarting the affected processes. Even after downloading new, fixed update definition files, these processes remained in a dysfunctional state.

 

Impact: Even though generally at least one trans7 process was locking up, the Firewall service kept running using the current firewall ruleset. The service did at no point in time unload the ruleset, or switch to "fail open " or "fail close" mode. However, subsequent firewall ruleset changes (done when the box was in this state) were not processed and written to kernel space, which means that the active configuration of the firewall service did not change, even though a ruleset change was performed through the configuration interface. This error condition is only resolved through a restart of the firewall service, or by applying the provided hotfix.

 

Affected Firmware: Barracuda NextGen Firewall F-Series Firmware Version 6.2.x or 7.0.x

 

Mitigation: Affected Firewalls cannot be remediated automatically but need to have a hotfix installed. Customers who notice the described symptoms should IMMEDIATELY install the following hotfix. Note that this hotfix works for 6.2.x and 7.0.x

 

We apologize for any inconvenience caused by this issue. We are constantly evaluating our quality assurance processes and will take appropriate measures to immunize our systems against similar incidents in the future.


Senior Product Manager