AAPL Stock: 118.88 ( + 1.13 )

Printed from

Exploit found in some Barracuda firewalls, VPN hardware

updated 09:44 pm EST, Thu January 24, 2013

Flaw allows remote access to MySQL database in equipment

According to Austrian security researchers SEC Consult Vulnerability Lab, an assortment of firewall, spam filtering, and VPN hardware made by Barracuda contain undocumented accounts that allow hackers to remotely log into the devices and access information. The SSH backdoor is hardcoded into the products, and can be used to gain shell access to the equipment, according to the published advisory.

The researchers claim that the security flaw "is entirely undocumented and can only be disabled via a hidden 'expert options' dialog." A very weak password which Electronista found with a Google search is used to secure the device in conjunction with a generic user name. The combination allows login and full remote access to the device's MySQL database. The exploits are accessible by a small range of IP addresses -- many of which don't belong to Barracuda but can be spoofed with the right software attack in any event. The exploit has possibly existed since 2003.

On Wednesday, Barracuda issued its own "medium"-level security advisory, saying that "research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log in to a non-privileged account on the appliance from a small set of IP addresses" They called the vulnerabilities the result of "default firewall configuration and default user accounts on the unit" and have issued firmware updates to patch the issue.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented