On July 6, researchers at Korelogic disclosed 5 vulnerabilities they discovered in the Barracuda Web Application Firewall (WAF).
Three of the findings, KL-001-2017-010, KL-001-2017-011, and KL-001-2017-012, affected the booting process. The reported findings have been remediated in the manufacturing process and currently shipping WAF products are no longer affected. To exploit these issues on existing systems, an attacker requires console access to the target system.
KL-001-2017-013 was patched in WAF firmware version 9.0.1. We recommend customers upgrade their installations to that version or later.
A patch for KL-001-2017-014 was delivered to all WAFs via the automatic security update system*. All systems configured to automatically apply Security Definitions (found under the Advanced->Energize Updates page) have already been updated. Customers who have disabled this setting must enable it to receive the patch. Alternately, support can manually apply the patch for customers who are unwilling to enable Security Definitions.
* We are currently transitioning delivery of security patches from our traditional secdef delivery mechanism to a new system. The patch for KL-001-2017-014 was delivered using the new system. A future firmware release will contain a user interface for reviewing applied and available patches.