Jump to content


Photo

CVE-2015-0235 - GHOST vulnerability

cve-2015-0235 ghost

  • Please log in to reply
18 replies to this topic

#1 Dave Farrow

Dave Farrow

    PSIRT

  • Moderators
  • 33 posts

Posted 29 January 2015 - 11:50 AM

CVE-2015-0235 was released Tuesday, Jan 27 announcing a vulnerability in the widely used glibc library.

We have confirmed that some of our products and services use affected versions of glibc. We’ve further determined that exploitation of the vulnerability requires conditions which do not exist in many of our products. Rather than delay patches by exhaustively analyzing all our products and services for the required precondition, we are electing to patch all products and services.

We are currently developing and testing the delivery of patches to our physical and virtual appliance products and will deliver them as soon as possible.

Our operations teams began patching our production services on Tuesday. Patching of our services has been completed as of this writing. The patching process requires server restarts. We are making every effort to ensure that service is not interrupted during the patching/restart process.

#2 Dave Farrow

Dave Farrow

    PSIRT

  • Moderators
  • 33 posts

Posted 30 January 2015 - 02:31 AM

We are in the final stages of testing the patches for CVE-2015-0235 and expect to release it soon. Customers who are interested in getting early access to the patches may contact support and request early access.

#3 Bernhard Patsch

Bernhard Patsch
  • Barracuda Team Members
  • 102 posts

Posted 30 January 2015 - 03:08 AM

Patches for the NG Firewall product are available in the Barracuda download area (https://login.barrac...port/downloads/).



#4 Dave Farrow

Dave Farrow

    PSIRT

  • Moderators
  • 33 posts

Posted 30 January 2015 - 08:36 PM

This afternoon, January 30th, at 18:30 PST we released Security Definition 2.1.15715. This update applies to all version of the following products manufactured after June, 2009:

Barracuda Spam and Virus Firewall
Barracuda Web Filter
Barracuda Message Archiver
Barracuda Web Application Firewall
Barracuda Firewall
Barracuda Load Balancer
Barracuda Load Balancer ADC
Barracuda Link Balancer
Barracuda SSL VPN
Barracuda Backup Server
Cudatel

A reboot is required after installation of the secdef.

For maximum protection, Barracuda Networks recommends that all customers ensure that their attack and security definitions are set to On and to upgrade to the latest generally available release of the firmware and security definitions.

#5 David Brountas

David Brountas
  • Members
  • 1 posts

Posted 30 January 2015 - 08:47 PM

Thanks Dave for the notification on this. We have seen notifications come through our firewalls in the form of emails. Can you please confirm these are valid emails from Barracuda. Also can you confirm that users affected will need to download and install the patch? Will this be in the form of Firware upgrade for both virtual and physical appliances? Any help would be appreciated. 



#6 Dave Farrow

Dave Farrow

    PSIRT

  • Moderators
  • 33 posts

Posted 31 January 2015 - 12:40 PM

David - yes, if your unit is configured to send alert emails to you then you will receive an email informing you that a reboot is necessary to complete the patch process.

The patch is being delivered as a Security Definition Update rather than as a Firmware update. The Security Definition will apply to the current firmware version of the product you are running even if it is not the most current firmware.

Security Definition Updates are available on the Energize Updates page under the Advanced tab. There is an option on that page to enable/disable automatic installation of Security Definitions. If you have received an email telling you to reboot then the Security Definition has already been downloaded and applied an the only thing you need to do is to reboot.

This process applies both to physical and virtual appliances.

#7 Oliver Braekow

Oliver Braekow
  • Moderators
  • 162 posts
  • LocationInnsbruck, Austria

Posted 02 February 2015 - 03:49 AM

Thank you Dave !



#8 bweybrecht

bweybrecht
  • Members
  • 1 posts

Posted 02 February 2015 - 02:02 PM

How do we determine whether this patch has been applied to our Cudatel telephone systems? There is no externally visible indication of patch status other than a generic "Firmware x.x.x.". Barracuda / Cudatel has pushed other "security" updates that have resulted in system restarts, and no other notification or indication.



#9 Keith Holland

Keith Holland
  • Members
  • 1 posts

Posted 02 February 2015 - 03:06 PM

I applies the patch for the NG-F100 firewalls that I manage and the version number shown in the admin interface did not change from 5.4.4 to 5.4.5 as I believe it should have.  After initiating the upgrade/patch, a reboot was required, however, how do I confirm (prove to my clients) that the patch was correctly applied?

 

Thanks in advance



#10 Rene Lavoie

Rene Lavoie
  • Members
  • 2 posts

Posted 02 February 2015 - 10:15 PM

Hi,

 

What happens with the appliances bought before 2009 (bought in 2008) ?

 

We have a Barracuda Spam Virus FireWall model 200 … and we continue to pay for the support and maintenance years after years.

 

I have many concerns about the CVE-2015-0235 vulnerability - GHOST.

I am even more worried that after more than 6 days, there is still no patch available for our Antispam.

I just checked and for our model the latest update available is 6.1.5.006 (2014-11-05)

Can you tell me when the patch for this vulnerability will be available?



#11 Rene Lavoie

Rene Lavoie
  • Members
  • 2 posts

Posted 03 February 2015 - 09:24 AM

Sorry... to much coffee ! 

It's a "Security Definition Updates"...not a firmware update !

Thanks !



#12 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 03 February 2015 - 09:56 AM

Hi Rene,

 

If your device isn't seeing the SECDEF, please contact support so we may research with you 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#13 Maxwell Lazaroff

Maxwell Lazaroff
  • Moderators
  • 448 posts
  • LocationAnn Arbor, Michigan

Posted 03 February 2015 - 01:42 PM

Curt Martell, et al.

We have moved the Archiving issue related to this update to the Archiver forum. We can continue there.

 

Link: https://community.ba...pped-archiving/

 

Thanks,
Maxwell Lazaroff

Barracuda Message Archiver
Technical Delivery Manager


#14 Ted Francis

Ted Francis
  • Members
  • 3 posts

Posted 03 February 2015 - 05:35 PM

After rebooting my Web Filter 310 on Saturday, I lost connectivity to the Cisco Switch.  My network person had to filter BPDU packets for the ports connecting the web filter since they were going err disabled.  Any idea if something in the security patch messed with BDU or STP?  I did not have this issue on my SPAM Filter 300.

 

Jan 31 00:29:51.697 CST: %PM-4-ERR_DISABLE: STANDBY:bpduguard error detected on Gi7/6, putting Gi7/6 in err-disable state

Jan 31 00:39:51.487 CST: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi7/2

Jan 31 00:39:51.499 CST: %PM-4-ERR_RECOVER: Attempting to recover from bpduguard err-disable state on Gi7/6

.Jan 31 00:39:51.495 CST: %PM-4-ERR_RECOVER: STANDBY:Attempting to recover from bpduguard err-disable state on Gi7/2

.Jan 31 00:39:51.607 CST: %PM-4-ERR_RECOVER: STANDBY:Attempting to recover from bpduguard err-disable state on Gi7/6

Jan 31 00:40:11.870 CST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi7/2 with BPDU Guard enabled. Disabling port.

Jan 31 00:40:11.870 CST: %PM-4-ERR_DISABLE: bpduguard error detected on Gi7/2, putting Gi7/2 in err-disable state

Jan 31 00:40:11.874 CST: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi7/6 with BPDU Guard enabled. Disabling port.

 



#15 Frank Bulk

Frank Bulk
  • Members
  • 34 posts

Posted 03 February 2015 - 05:49 PM

 

After rebooting my Web Filter 310 on Saturday, I lost connectivity to the Cisco Switch.  My network person had to filter BPDU packets for the ports connecting the web filter since they were going err disabled.  Any idea if something in the security patch messed with BDU or STP?  I did not have this issue on my SPAM Filter 300.

 

 

My gut instinct suggests that the Web Filter, perhaps before it boot up, allowed traffic to flow around in circle, allowing BPDUs to come into Gi7/2 and Gi7/6.



#16 Dave Farrow

Dave Farrow

    PSIRT

  • Moderators
  • 33 posts

Posted 03 February 2015 - 07:47 PM

Rene,

If you are running hardware that was manufactured prior to June, 2009 and have had and active Instant Replacement (IR) subscription the entire time, you may be eligible for a complementary hardware refresh. If you have not maintained an active Instance Replacement subscription, Barracuda offers discounts to existing customers on replacement equipment.

The patches for units manufactured prior to June 2009 is currently being tested. They will be delivered through a Security Definition Update as soon as they are available.

#17 Martin Heerdegen

Martin Heerdegen
  • Members
  • 3 posts

Posted 04 February 2015 - 03:02 AM

Hi guys,

 

since there seems to be no hotfix for Barracuda NG FW v5.4.4 I assume that I first have to install 5.4.5 and additionally install the hotfix afterwards.

 

Is this correct?

Why is there only an update for the most current version?

 

Kind regards,

Martin 



#18 Markus Lang

Markus Lang
  • Moderators
  • 341 posts

Posted 05 February 2015 - 03:13 AM

Hello Martin,

 

this specific hotfix is downward compatible and can also be installed on v5.4.4 - you do not have to update to 5.4.5 first in order to apply the hotfix.

 
Fixed Bug: BNNGF-28018
Summary: Fixes CVE-2015-0235 GHOST vulnerability
Affected Modules: glibc
Installable Release: 5.4.1 - 5.4.5
 
Regards
markus

Senior Product Manager

#19 Micha Knorpp

Micha Knorpp
  • Members
  • 154 posts
  • LocationGermany, BW

Posted 09 February 2015 - 06:05 AM

I applies the patch for the NG-F100 firewalls that I manage and the version number shown in the admin interface did not change from 5.4.4 to 5.4.5 as I believe it should have.  After initiating the upgrade/patch, a reboot was required, however, how do I confirm (prove to my clients) that the patch was correctly applied?

 

Thanks in advance

 

 Hi Keith,

 

as this is only a hotfix, the firmware version number will not change to 5.4.5.

Anyway, to see which hotfixes have been installed onto a NG Firewall system, look for Control - Licenses - Version status (lower window part).

Or take a look at Logs - Box - Release - Update (although on a F100, the reboot clears that log - so this works only for F200 and above, if the hotfix triggers a reboot).


regards,
-micha-