18 replies to this topic

[Dave Farrow]

CVE-2015-0235 was released Tuesday, Jan 27 announcing a vulnerability in the widely used glibc library.

We have confirmed that some of our products and services use affected versions of glibc. We’ve further determined that exploitation of the vulnerability requires conditions which do not exist in many of our products. Rather than delay patches by exhaustively analyzing all our products and services for the required precondition, we are electing to patch all products and services.

We are currently developing and testing the delivery of patches to our physical and virtual appliance products and will deliver them as soon as possible.

Our operations teams began patching our production services on Tuesday. Patching of our services has been completed as of this writing. The patching process requires server restarts. We are making every effort to ensure that service is not interrupted during the patching/restart process.

[Dave Farrow]

We are in the final stages of testing the patches for CVE-2015-0235 and expect to release it soon. Customers who are interested in getting early access to the patches may contact support and request early access.

[Bernhard Patsch]

Patches for the NG Firewall product are available in the Barracuda download area (https://login.barrac...port/downloads/).

[Dave Farrow]

This afternoon, January 30th, at 18:30 PST we released Security Definition 2.1.15715. This update applies to all version of the following products manufactured after June, 2009:

Barracuda Spam and Virus Firewall
Barracuda Web Filter
Barracuda Message Archiver
Barracuda Web Application Firewall
Barracuda Firewall
Barracuda Load Balancer
Barracuda Load Balancer ADC
Barracuda Link Balancer
Barracuda SSL VPN
Barracuda Backup Server
Cudatel

A reboot is required after installation of the secdef.

For maximum protection, Barracuda Networks recommends that all customers ensure that their attack and security definitions are set to On and to upgrade to the latest generally available release of the firmware and security definitions.

[David Brountas]

Thanks Dave for the notification on this. We have seen notifications come through our firewalls in the form of emails. Can you please confirm these are valid emails from Barracuda. Also can you confirm that users affected will need to download and install the patch? Will this be in the form of Firware upgrade for both virtual and physical appliances? Any help would be appreciated. 

[Dave Farrow]

David - yes, if your unit is configured to send alert emails to you then you will receive an email informing you that a reboot is necessary to complete the patch process.

The patch is being delivered as a Security Definition Update rather than as a Firmware update. The Security Definition will apply to the current firmware version of the product you are running even if it is not the most current firmware.

Security Definition Updates are available on the Energize Updates page under the Advanced tab. There is an option on that page to enable/disable automatic installation of Security Definitions. If you have received an email telling you to reboot then the Security Definition has already been downloaded and applied an the only thing you need to do is to reboot.

This process applies both to physical and virtual appliances.

[Oliver Braekow]

Thank you Dave !

[bweybrecht]

How do we determine whether this patch has been applied to our Cudatel telephone systems? There is no externally visible indication of patch status other than a generic "Firmware x.x.x.". Barracuda / Cudatel has pushed other "security" updates that have resulted in system restarts, and no other notification or indication.

[Keith Holland]

I applies the patch for the NG-F100 firewalls that I manage and the version number shown in the admin interface did not change from 5.4.4 to 5.4.5 as I believe it should have.  After initiating the upgrade/patch, a reboot was required, however, how do I confirm (prove to my clients) that the patch was correctly applied?

 

Thanks in advance

[Rene Lavoie]

Hi,

 

What happens with the appliances bought before 2009 (bought in 2008) ?

 

We have a Barracuda Spam Virus FireWall model 200 … and we continue to pay for the support and maintenance years after years.

 

I have many concerns about the CVE-2015-0235 vulnerability - GHOST.

I am even more worried that after more than 6 days, there is still no patch available for our Antispam.

I just checked and for our model the latest update available is 6.1.5.006 (2014-11-05)

Can you tell me when the patch for this vulnerability will be available?

[Rene Lavoie]

Sorry... to much coffee ! 

It's a "Security Definition Updates"...not a firmware update !

Thanks !

[mheller]

Hi Rene,

 

If your device isn't seeing the SECDEF, please contact support so we may research with you 

[Maxwell Lazaroff]

Curt Martell, et al.

We have moved the Archiving issue related to this update to the Archiver forum. We can continue there.

 

Link: https://community.ba...pped-archiving/

 

Thanks,
Maxwell Lazaroff

Barracuda Message Archiver
Technical Delivery Manager

[Ted Francis]

After rebooting my Web Filter 310 on Saturday, I lost connectivity to the Cisco Switch.  My network person had to filter BPDU packets for the ports connecting the web filter since they were going err disabled.  Any idea if something in the security patch messed with BDU or STP?  I did not have this issue on my SPAM Filter 300.

 

Jan 31 00:29:51.697 CST: %PM-4-ERR_DISABLE: STANDBY:bpduguard error detected on Gi7/6, putting Gi7/6 in err-disable state

Jan 31 00:39:51.487 CST: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi7/2

Jan 31 00:39:51.499 CST: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi7/6

.Jan 31 00:39:51.495 CST: %PM-4-ERR_RECOVER: STANDBY:Attempting to recover from bpduguard err-disable state on Gi7/2

.Jan 31 00:39:51.607 CST: %PM-4-ERR_RECOVER: STANDBY:Attempting to recover from bpduguard err-disable state on Gi7/6

Jan 31 00:40:11.870 CST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi7/2 with BPDU Guard enabled. Disabling port.

Jan 31 00:40:11.870 CST: %PM-4-ERR_DISABLE: bpduguard error detected on Gi7/2, putting Gi7/2 in err-disable state

Jan 31 00:40:11.874 CST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi7/6 with BPDU Guard enabled. Disabling port.

 

[Frank Bulk]

 

After rebooting my Web Filter 310 on Saturday, I lost connectivity to the Cisco Switch.  My network person had to filter BPDU packets for the ports connecting the web filter since they were going err disabled.  Any idea if something in the security patch messed with BDU or STP?  I did not have this issue on my SPAM Filter 300.

 

 

My gut instinct suggests that the Web Filter, perhaps before it boot up, allowed traffic to flow around in circle, allowing BPDUs to come into Gi7/2 and Gi7/6.

[Dave Farrow]

Rene,

If you are running hardware that was manufactured prior to June, 2009 and have had and active Instant Replacement (IR) subscription the entire time, you may be eligible for a complementary hardware refresh. If you have not maintained an active Instance Replacement subscription, Barracuda offers discounts to existing customers on replacement equipment.

The patches for units manufactured prior to June 2009 is currently being tested. They will be delivered through a Security Definition Update as soon as they are available.

[Martin Heerdegen]

Hi guys,

 

since there seems to be no hotfix for Barracuda NG FW v5.4.4 I assume that I first have to install 5.4.5 and additionally install the hotfix afterwards.

 

Is this correct?

Why is there only an update for the most current version?

 

Kind regards,

Martin 

[Markus Lang]

Hello Martin,

 

this specific hotfix is downward compatible and can also be installed on v5.4.4 - you do not have to update to 5.4.5 first in order to apply the hotfix.

 

Fixed Bug: BNNGF-28018

Summary: Fixes CVE-2015-0235 GHOST vulnerability

Affected Modules: glibc

Installable Release: 5.4.1 - 5.4.5

 

Regards

markus

[Micha Knorpp]

I applies the patch for the NG-F100 firewalls that I manage and the version number shown in the admin interface did not change from 5.4.4 to 5.4.5 as I believe it should have.  After initiating the upgrade/patch, a reboot was required, however, how do I confirm (prove to my clients) that the patch was correctly applied?

 

Thanks in advance

 

 Hi Keith,

 

as this is only a hotfix, the firmware version number will not change to 5.4.5.

Anyway, to see which hotfixes have been installed onto a NG Firewall system, look for Control - Licenses - Version status (lower window part).

Or take a look at Logs - Box - Release - Update (although on a F100, the reboot clears that log - so this works only for F200 and above, if the hotfix triggers a reboot).