Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Barracuda Appliances Have Exploitable Holes, Fixed By Firmware Updates

timothy posted about a year and a half ago | from the unless-you-like-them-that-way dept.

Networking 88

Orome1 writes "Barracuda Networks has released firmware updates that remove SSH backdoors in a number of their products and resolve a vulnerability in Barracuda SSL VPN that allows attackers to bypass access restrictions to download potentially insecure files, set new admins passwords, or even shut down the device. The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances." Here's Barracuda's tech note about the exploitable holes.

Sorry! There are no comments related to the filter you selected.

Holes (-1)

Anonymous Coward | about a year and a half ago | (#42681641)

It is now official - Netcraft has confirmed: Slashdot is dying

Yet another crippling bombshell hit the beleaguered Slashdot community when recently IDC confirmed that Slashdot accounts for less than a fraction of 1 percent of all forums. Coming on the heels of the latest Netcraft survey which plainly states that Slashdot has lost more market share, this news serves to reinforce what we've known all along. Slashdot is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Forum Admin comprehensive networking test.

You don't need to be a Foreskin to predict Slashdot's future. The hand writing is on the wall: Slashdot faces a bleak future. In fact there won't be any future at all for Slashdot because Slashdot is dying. Things are looking very bad for Slashdot. As many of us are already aware, Slashdot continues to lose market share. Red ink flows like a river of blood. Slashdot is the most endangered of them all, having lost 93% of its core developers.

Let's keep to the facts and look at the numbers.

Slashdot leader Rob Malda states that there are 7000 users of Slashdot. How many users of Reddit are there? Let's see. The number of Slashdot versus Reddit posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 Reddit users. Kuro5hin posts on Usenet are about half of the volume of Reddit posts. Therefore there are about 700 users of Kuro5hin. A recent article put Slashdot at about 80 percent of the forum market. Therefore there are over 9000 Slashdot users. This is consistent with the number of Slashdot Usenet posts.

Due to the troubles of LinuxVA, abysmal sales and so on, Slashdot went out of business and was taken over by Dice Holdings, Inc. who sell another troubled forum. Now it is also dead, its corpse turned over to yet another charnel house.

All major surveys show that Slashdot has steadily declined in market share. Slashdot is very sick and its long term survival prospects are very dim. If Slashdot is to survive at all it will be among forum hobbyist dabblers. Slashdot continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Slashdot is dead.

Fact: Slashdot is dead

don't forget nietzche and God is Dead (-1, Offtopic)

RobertLTux (260313) | about a year and a half ago | (#42681791)

the reply was of course on 26 august 1900 and was

"Nice try but the fact is YOU ARE DEAD NOT ME"

when the stars themselves are going out there will be three things that remain

The CockRoaches, Dylan Hunt and Slashdot (who will be reporting on the effort by DH to save the cockroaches)

Re:Holes (-1)

Anonymous Coward | about a year and a half ago | (#42682357)

*sigh* Okay, which of the banned former Slashdot users is throwing a "from-the-shadows" temper tantrum THIS time? Honestly, you guys, if you don't say who you actually are, how are we going to see the Errors Of Our Ways, repent, and unban you? You're doing this all wrong, which leads me to believe you're one of the novice just-recently-banned users.

JON KATZ - MOTHERFUCKER! (-1)

Anonymous Coward | about a year and a half ago | (#42682983)


 

Re:Holes (0)

webmistressrachel (903577) | about a year and a half ago | (#42682497)

You had that ready, didn't you?

How about a note apologizing and closing shop (3, Insightful)

Marrow (195242) | about a year and a half ago | (#42681669)

SSH backdoors into security appliances? Really?

Re:How about a note apologizing and closing shop (0)

Anonymous Coward | about a year and a half ago | (#42681777)

As per request of the United States government, just like in Windows OSes.

Re:How about a note apologizing and closing shop (0)

Anonymous Coward | about a year and a half ago | (#42682139)

As per request of the United States government, just like in Windows OSes.

Among others...

Re:How about a note apologizing and closing shop (-1)

Anonymous Coward | about a year and a half ago | (#42682481)

Windows has an SSH backdoor?!

Re:How about a note apologizing and closing shop (5, Funny)

gandhi_2 (1108023) | about a year and a half ago | (#42682883)

Shoot. It would be nice if Windows had an SSH front door.

Re:How about a note apologizing and closing shop (4, Insightful)

mvdwege (243851) | about a year and a half ago | (#42682219)

This is Barracuda, who were still doing accept-then-bounce when even Microsoft had changed that to no longer being the default in Exchange.

Re:How about a note apologizing and closing shop (1)

dskoll (99328) | about a year and a half ago | (#42684835)

accept-then-bounce when even Microsoft had changed that to no longer being the default in Exchange.

Sorry, it's still the default in Microsoft Exchange. I really hate Microsoft [skoll.ca] .

Re:How about a note apologizing and closing shop (1)

mvdwege (243851) | about a year and a half ago | (#42688901)

That's 'Recipient Filtering' you link to. I understood that as of Exchange 2007 (plus some SP, possibly), if you turn on email lookups in AD, it defaults to reject if the user is not found.

I only got to work with Exchange once removed, as I had to advise our customers what to do to not backscatter, so if I am wrong, then I am wrong.

Of course in that case Barracuda is as bad as Microsoft, which is hardly an improvement.

Apologies to Heart... (2)

MarkGriz (520778) | about a year and a half ago | (#42683939)

You lying so low in the weeds
I bet you gonna ambush me
You'd have me down on my knees
Now wouldn't you, Barracuda?

Not fixed (1)

Anonymous Coward | about a year and a half ago | (#42681705)

Barracuda says they need the accounts. They will remain after the update.

Original source for Advisory (5, Informative)

Anonymous Coward | about a year and a half ago | (#42681717)

SEC Consult Vulnerability Lab Security Advisory - 20130124-0 [sec-consult.com]

title: Critical SSH Backdoor in multiple Barracuda Networks Products

vulnerable products: Barracuda Spam and Virus Firewall
                                          Barracuda Web Filter
                                          Barracuda Message Archiver
                                          Barracuda Web Application Firewall
                                          Barracuda Link Balancer
                                          Barracuda Load Balancer
                                          Barracuda SSL VPN
                                          (all including their respective virtual "Vx" versions)

  vulnerable version: all versions Security Definition 2.0.5
            fixed version: Security Definition 2.0.5
            impact: Critical
            homepage: https://www.barracudanetworks.com/
            found: 2012-11-20
            by: S. Viehbck
            SEC Consult Vulnerability Lab
            https://www.sec-consult.com

small set of ips (1)

Twillerror (536681) | about a year and a half ago | (#42681723)

So the tech note mentions that this is only accessible from a small subset of ips...WHAT IPS!!!!!!

At least it doesn't sound like a zero day so we have time to get it patched. Since we block the management ips from our firewall it sounds like this would only effect attacks from within your network.

Re:small set of ips (3, Informative)

Anonymous Coward | about a year and a half ago | (#42681749)

The blocks are:
205.158.110.0/24
216.129.105.0/24

http://cnet.robtex.com/205.158.110.html
http://cnet.robtex.com/216.129.105.html

Re:small set of ips (4, Informative)

cluedweasel (832743) | about a year and a half ago | (#42681975)

According to the article, these non-Barracuda domains fall within those blocks. mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ... frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc. utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc. everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc. mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.

Re:small set of ips (0)

X0563511 (793323) | about a year and a half ago | (#42682773)

Line breaks, do you have them?

Re:small set of ips (0)

Skapare (16644) | about a year and a half ago | (#42683211)

You can always add your own. I did. And no, I am not sharing my line breaks today.

Re:small set of ips (1)

54mc (897170) | about a year and a half ago | (#42683841)

Line breaks, do you have them?

Fixed for you

According to the article, these non-Barracuda domains fall within those blocks.

mail.totalpaas.com (205.158.110.135) - Domain registered by: Domains By Proxy, LLC ...
frmt1.boxitweb.com (205.158.110.132) - Domain registered by: Thor Myhrstad
static.medallia.com (205.158.110.229) - Domain registed by: Medallia Inc.
utility.connectify.net (205.158.110.171) - Domain registered by: Connectify Networks, Inc.
everest.address.com (216.129.105.202) - Domain registed by: WhitePages, Inc.
mail.tqm.bz (216.129.105.205) - Domain registered by: Total Quality Maintenance, Inc
outbound.andyforbes.com (216.129.105.212) - Domain registered by: HM hosting

Anyone got any idea why those would be included in having access? Apparently this hole has been present since 2003. I'm surprised it didn't come to light earlier.

Re:small set of ips (0)

Anonymous Coward | about a year and a half ago | (#42684963)

Well Andy Forbes is their old IT guy, so that's one down.

Re:small set of ips (0)

Anonymous Coward | about a year and a half ago | (#42681835)

LOL, I hope your firewall blocking the management IPs isn't a Barracuda product. And BTW, why the hell would you even consider continuing to do business with a vendor intentionally inserting backdoors into its products? You know there's likely to be a class action suite coming, so I'd look at alternative gear to replace any Barracuda products you have right now.

Re:small set of ips (3, Informative)

msauve (701917) | about a year and a half ago | (#42681857)

If you click through to the SEC report:

-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.200.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.10.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 205.158.110.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 216.129.105.0/255.255.255.0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

Re:small set of ips (0)

Anonymous Coward | about a year and a half ago | (#42683737)

And half of those rules will never be matched. Brilliant work.

Re:small set of ips (0)

Anonymous Coward | about a year and a half ago | (#42683337)

That's what I was curious about as well. It sounds like the only vulnerable devices would be those where the Admin IP/port was open to the world. I was chatting with their support guy, and he stopped chatting when I asked that question.
Anyone know/verify the details of the vuln? Is it via the Admin IP/port?

Re:small set of ips (0)

Anonymous Coward | about a year and a half ago | (#42683547)

Ok, more specifics. I just read the vulnerability is performed via the SSH port. Why anyone would have this open/exposed is odd, but it is what it is.

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130124-0_Barracuda_Appliances_Backdoor_wo_poc_v10.txt

A workaround is to prevent tcp/22 from being available.
Or, buy support and do their "Energize Updates" thing, but this always would crash the load balancer so I stopped paying them to crash my load balancer.

Security apliances growing obsolete (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42681739)

Security appliances are a joke. Overpriced slabs sold by slimy salesmen to clueless PHBs to offer "security" in a box.
Security doesn't come in a box. It comes with process, documentation, and vigilance. Things alien to incompetent management.
It's no surprise that these digital snake oil machines are riddled with security holes themselves.

Anyway, these things are mostly obsolete. Why spend a fortune when your infrastructure is all VMs hosted across multiple data centers in many distinct geographic locations.

You still host your own servers? Why?

Re:Security apliances growing obsolete (1)

cluedweasel (832743) | about a year and a half ago | (#42681895)

You still host your own servers? Why?

Because our local Internet provider is an unreliable, capped mess with no real competition in the business market? Regulation also plays a part. Our industry is heavily regulated. Hosting our infrastructure is possible, but expensive. Senior management also have unrealistic uptime expectations. All in all, at this time it's more economical to keep our IT infrastructure in house.

Re:Security apliances growing obsolete (1)

Charliemopps (1157495) | about a year and a half ago | (#42682231)

And in my case, we ARE the ISP... so who are we supposed to host with exactly? lol

Re:Security apliances growing obsolete (2)

Obfuscant (592200) | about a year and a half ago | (#42682461)

And in my case, we ARE the ISP... so who are we supposed to host with exactly? lol

Google. That's what my local ISP just did -- handed Google all the account data and stored email and let them do all the email processing.

It was a wonderful experience. I found email on Google Mail that had been deleted from my ISP for almost two years. Since anything older than 6 months is now considered abandoned and available to the government upon request, they basically gave Google 18 months of free data to hand over to the feds. And two years of data for Google to helpfully index for me (and whatever other use they want to make of it).

And I just got my latest ISP bill. Anyone want to guess if the charges went down, now that they aren't doing anything more than shilling for Google services?

Re:Security apliances growing obsolete (1)

sandytaru (1158959) | about a year and a half ago | (#42683049)

One of our clients found this out the hard way. They switched to a cloud based app, and even with a fiber connection they still have a lot of slowness and downtime. Why? Because the cloud provider was too damn greedy and signed too many clients up at once, and they just don't have the infrastructure on THEIR end to handle it. We're in negotiations to try to get a locally hosted version of the app, if it is at all possible, so we don't get unhappy emails every five minutes that the cloud app is being "slow."

Re:Security apliances growing obsolete (3, Insightful)

Anonymous Coward | about a year and a half ago | (#42682011)

Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.

Re:Security apliances growing obsolete (0)

Anonymous Coward | about a year and a half ago | (#42682477)

You put your servers in ubiquitous, large scale, flexible, scalable, geographically diverse VM hosts that marketers call "the cloud" because that is how smart business run today. Why anchor yourself to physical hardware? What if you find yourself needing to triple your capacity in less than a week? You can't because you're stuck hoofing metal boxes in to a rack? Can't purchase the boxes fast enough? Can't upgrade your bandwidth? Your application wasn't designed to scale in the first place?

Sorry buddy, that fat contract is going to your competitor. You missed the gravy boat because you feel "the cloud" is "insecure".

There's nothing inherently more secure about either traditional data centers or "cloud" data. Both can be secure, but require different practices (Well slightly different. The core fundamentals still apply in both).

Re:Security apliances growing obsolete (2)

tibit (1762298) | about a year and a half ago | (#42682929)

If you need to triple your capacity in a week, there's probably a whole bunch of people who didn't do their jobs properly :)

Re:Security apliances growing obsolete (1)

Obfuscant (592200) | about a year and a half ago | (#42682553)

Yeah, putting all of your servers in the "cloud" is the best strategy for security. Definitely.

ISPs don't care about security as long as it isn't their systems. They care about getting phone calls for support when their data center goes offline due to a power failure or other event.

Someone having access to your email costs them nothing. Paying people to answer the phones costs them a lot. So they do like my ISP did and hand the job over to Google. They gave the "failed data center" excuse. Security obviously wasn't on their mind, since they handed all the archived email from their users, and all the usernames and passwords with it, over to a company that makes its money from indexing and scanning and selling data.

We're getting an "enhanced internet experience" in return. Kind of like calling prison rape an "enhanced incarceration experience". Not quite as physically demanding, but close. Trying to get Google Mail to actually delete something is a physically frustrating experience all in itself.

Re:Security apliances growing obsolete (0)

Anonymous Coward | about a year and a half ago | (#42682345)

Security appliances are for those that lack the skills to maintain their own solution. That's no secret. You pays your money and you get a managed solution that hopefully will do the job for you.

Since you lack the skills to do it yourself you have to trust them to maintain their paid solution.
If you get what you pay for you will be mostly OK because of the support you pay for and need.

If they screw up you are pwned.

Oh well, that's the way it is with paid solutions. Not everyone is a skilled programmer and admin and can do a great solution for themselves, so there is clearly a place for a paid solution like Barracuda.

That said, Barracuda has clearly used methods in their antispam solution in the past (I can't say about now) that do not constitute best practices, IMHO. They likely disagree with me.

Re:Security apliances growing obsolete (0)

Anonymous Coward | about a year and a half ago | (#42682531)

Why spend a fortune when your infrastructure is all VMs hosted across multiple data centers in many distinct geographic locations.

I don't know, so let's ask how AWS has been working out for Netflix...

Re:Security apliances growing obsolete (0)

Anonymous Coward | about a year and a half ago | (#42687181)

Because the client is government/military.

Re:Security apliances growing obsolete (1)

tom229 (1640685) | about a year and a half ago | (#42692059)

It wouldn't be a normal day of browsing slashdot without seeing the ubiquitous "cloud is the answer to everything" post.

Hosting services, software, and whole environments elsewhere is not a new solution, it just has a new name probably coined by a room full of technical illiterates looking at a visio network diagram.

'The cloud' has pros and cons like it always has, and always will. The primary downfall is of course a loss of control and accountability for your own systems. If you determine the benefits of hosting elsewhere outweigh this as well as the many other downfalls associated with offsite hosting, then do it. But the cloud is not, and never will be, the answer to everything.

OPENVPN (3, Informative)

CajunArson (465943) | about a year and a half ago | (#42681757)

Live it, love it, use it (oh and it has commercial support too so it's not just a toy). http://openvpn.net/ [openvpn.net]

Re:OPENVPN (1)

Anonymous Coward | about a year and a half ago | (#42682095)

SSLVPN =! Browser Based SSL VPN... There's no opensouorce Browser based SSL VPN (anymore, baracuda's SSLVPN was originally SSLExplorer...)

Re:OPENVPN (1)

bill_mcgonigle (4333) | about a year and a half ago | (#42683203)

There's no opensouorce Browser based SSL VPN

Does OpenVPN ALS [sourceforge.net] not qualify?

Re:OPENVPN (1)

EmagGeek (574360) | about a year and a half ago | (#42686665)

Considering the newest files for that project are from December 2008, I would say "probably not."

Re:OPENVPN (1)

shaiay (21101) | about a year and a half ago | (#42682975)

Does openvpn support certificate/public key based authentication?

Re:OPENVPN (1)

CajunArson (465943) | about a year and a half ago | (#42683095)

You could say that. In fact, it requires certificates & PKI to work. You can be a self-signing CA if you want, so there's no need to deal with Verisign/etc. if you don't want to. OpenVPN links to utilities that make it manageable to setup the CA and generate certificates for end users.

Re:OPENVPN (1)

bill_mcgonigle (4333) | about a year and a half ago | (#42683143)

You could say that. In fact, it requires certificates & PKI to work.

You can still use shared keys if you want to avoid the CA, but you lose some features when you do that (like push options).

And, yeah, it's supported public key exchange for, what, 8 years?

Re:OPENVPN (1)

CajunArson (465943) | about a year and a half ago | (#42686951)

Interesting, I didn't even know it had shared-key support. I think they prefer a PKI setup and I didn't delve into all of the options in that much detail. Good call.

Re:OPENVPN (0)

Anonymous Coward | about a year and a half ago | (#42683981)

Do you support searching on the internet?

Cannot be by accident (1)

Animats (122034) | about a year and a half ago | (#42681799)

"The backdoor accounts are present on in all available versions of Barracuda Spam and Virus Firewall, Web Filter, Message Archiver, Web Application Firewall, Link Balancer, Load Balancer, and SSL VPN appliances."

That cannot have happened by accident. Barracuda Networks should be charged with material support of terrorism for this.

Re:Cannot be by accident (1)

Anonymous Coward | about a year and a half ago | (#42682129)

They can't be charged by the US government it is the US government that asked them to put those backdoors in there! (I'm dead serious BTW).

Re:Cannot be by accident (0)

Anonymous Coward | about a year and a half ago | (#42682475)

Well duh, isn't that the gold standard of terrorism?
Supporting the aspirations of the US Gvmt?

What other country is actively killing innocent civilians in drone strikes, even those who show up to help - as in double-tap strikes.
What other country is actively holding people in cages without charges and the ability to confront their accusers - for more than a decade now?
What other country is actively engaged in hot wars in multiple countries.
What other countries have engaged in offensive wards of aggression?

It's perhaps obvious, but still sad to many of us who treasure what our country *should* stand for, that the US itself is a top contender for most "terrorist" nation on planet earth.

But the way "terrorism" is defined, precludes that - by most definitions:
Terrorism is what *you do* when you do things I don't like.
When I do that same stuff, I'm engaging in supporting *freedom* and apple-pie and all things wholesome and good.

Re:Cannot be by accident (0)

Anonymous Coward | about a year and a half ago | (#42683895)

Why so serious? :)

Would you like some anarchy in your life or do you like the pleasant blinded life that you most likely live?

Re:Cannot be by accident (2)

Skiron (735617) | about a year and a half ago | (#42682233)

If you buy any of their products, you agree to the T&C et al. Doesn't matter if they do not say what they don't say (you get the drift) if their products have back doors - that is your fault. It is interesting in the security report that they state the back door accounts that are 'hard set' will NOT be removed.

Re:Cannot be by accident (0)

Anonymous Coward | about a year and a half ago | (#42682265)

It is entirely possible that the "backdoor accounts" were the initial hardcoded testing accounts (before getting the proper account system in place) and there was an accident that the devs involved were overwhelmed with "urgent" aspects of the projects that they forgot to delete the constants. This does not excuse their existance, but it is a plausable explination that only suggests negligence, not malicious intent. An overlooked vulnerability in common code then propogated (without reexamination) to all similar products.

If my guess is reasonably accurate, then there should be evidence in the code that the login systems all used the same functions from fairly early on, and it has not been significantly modified from the first product release until now.

Other sequences of events that I can easily imagine could be described as accidental, but in doing so requires much more significant degrees of negligence from those involved.

And as always, everything can be explained by a sufficiently complicated government conspiracy.

uh HUH huh huh huh ... (0)

Anonymous Coward | about a year and a half ago | (#42681889)

you said 'exploitable holes'.

A major flaw (1)

Synerg1y (2169962) | about a year and a half ago | (#42681911)

Firmware updates = downtime. Required downtime rather than optional... not good.

Re:A major flaw (3, Interesting)

characterZer0 (138196) | about a year and a half ago | (#42681963)

Firmware updates = downtime

Only if you do not have rudundant systems. Not good.

Re:A major flaw (1)

Synerg1y (2169962) | about a year and a half ago | (#42682871)

How many people do you know that have "redundant" firewalls?

That's like saying install 2 switches for every 1 and run twice the cabling and install twice the NIC cards. Not good.

It's a definition update though, so no downtime required.

Re:A major flaw (2)

characterZer0 (138196) | about a year and a half ago | (#42683027)

I have run dual Cisco PIXes, one as a hot standby. Can't the Barracudas do the same thing?

o/ (0)

Anonymous Coward | about a year and a half ago | (#42683219)

Yep, we have.

Our all major firewalls (srx3600's, isg2000's, asa5520's, ...) where work are built redundant, just few tiny lab firewalls (ssg5's, asa5505's) are not. Also the core routers & switches 65k's down to distribution level are redundant as are most of access switches uplinks. Not exactly cheap, but makes maintaining the network so much easier and more failure tolerant. We have 12 large switches, all with redundant supervisors both redundant core devices in campus network, about 80 distributions switches, 685 access switches and 400 about ap's, multiple wlc redunant wlc's and redundant nms, redundant firewall etc. management system. The same goes with the storage side SAN, FCOE, server virtualisation platforms, backup systems, content switches, log management systems etc. All of them built redundant.

Just a hint, this is a mid size government funded university with about 20k students and 2500 staff, not a high profit enterprise.

ac

Re:A major flaw (1)

LurkerXXX (667952) | about a year and a half ago | (#42683891)

Everyone I know who runs CARP [openbsd.org] . Redundancy is good if you care about reliability/availability.

Re:A major flaw (0)

Anonymous Coward | about a year and a half ago | (#42683979)

Everyone running a critical system that can't tolerate downtime is who. "We're sorry, but we cannot accept payment at this time. Please try again later." Good way to lose business.

Re:A major flaw (1)

jregel (39009) | about a year and a half ago | (#42685319)

Um, the network I manage has dual Cisco ASA firewalls in an active/standby configuration.

And we install 2 switches for every 1.

If you're running business critical servers without that redundancy, you're exposing yourself to a single point of failure.

Re:A major flaw (0)

Anonymous Coward | about a year and a half ago | (#42685335)

I have redundant firewalls on all of my production perimeters.

Re:A major flaw (2, Informative)

Anonymous Coward | about a year and a half ago | (#42682107)

What they call a "firmware update" is incorrect, from what I can tell this just patches the file that contains the allowed SSH ips and nothing more. I have one of the effected devices which does NOT have SSH enabled from outside and it downloaded and installed the "security update" on its own during its usual hourly update cycle.

Re:A major flaw (1)

hesiod (111176) | about a year and a half ago | (#42683823)

Correct: we have one of these, so I immediately went to perform the update just to find it was already done.

Re:A major flaw (1)

Scutter (18425) | about a year and a half ago | (#42682407)

Actually, according to the tech note, it's a definition update, not a firmware update. Most Barracuda devices install definition updates automatically and with zero downtime.

Re:A major flaw (1)

Zaiff Urgulbunger (591514) | about a year and a half ago | (#42690211)

Firmware updates = downtime. Required downtime rather than optional... not good.

On the up-side, you can definitely do this remotely! :D

Facebook security hole (1)

Anonymous Coward | about a year and a half ago | (#42682001)

They also seem to have a security hole that keeps suggesting that I like Barracuda Networks on Facebook.

These auto-update with zero downtime (0)

Anonymous Coward | about a year and a half ago | (#42682055)

Most of these will probably auto-update the security defs with no downtime required (and they probably did it yesterday). Also, this is mostly an internal-threat only as nobody with common sense would publish SSH publicly. Most people put this in a DMZ and limit inbound traffic, so really, anyone following good security practice would ONLY be affected by rouge admins. Big whoop...what isn't affected by rouge admins?

"The backdoor accounts are present ON IN all" (0)

Anonymous Coward | about a year and a half ago | (#42682057)

You poor Americans...

Those damn prepositions are so confusing. Just put all the ones you can think of in the sentence, one of them is bound to be right!

News Flash (0)

interval1066 (668936) | about a year and a half ago | (#42682127)

Well known & popular product ships with security issues- company fixes said issues. Srsly... /.????

Re:News Flash (1)

s1lverl0rd (1382241) | about a year and a half ago | (#42684031)

The point is that a well known security product by a security vendor has a problem like this. This is not the kind of thing you buy off eBay from some shady guy in Ukraine or something. Barracuda sells products that will set you back thousands of bucks a year. You simply don't expect cheap tricks such as these for that kind of money. Hence newsworthy, IMHO.

Also, if you read the report, or the tech note even, it hints that the underlying issue (backdoor accounts) won't actually be fixed: "According to Barracuda Networks these accounts are essential for customer support and will not be removed."

Okay - It has to be said... (0)

certain death (947081) | about a year and a half ago | (#42682335)

AAaaaaaaaaaaaaaaaahhhhh.....BARRACUDA!!!! :oP

Re:Okay - It has to be said... (0)

Anonymous Coward | about a year and a half ago | (#42684245)

Go back to reddit you fag.

No Barracudas in the fish tank... (1)

BoRegardless (721219) | about a year and a half ago | (#42682385)

They jump out & bite you!

Disreputable (1)

ZorinLynx (31751) | about a year and a half ago | (#42682411)

This company tried to charge my friend's employer for over a year of time during which the product wasn't being used when they tried to reactivate it after it had been in a storage closet for that time.

They wouldn't budge, either, and my friends company had to find an alternate solution.

So yeah, not doing business with them anytime soon.

Re:Disreputable (0)

Anonymous Coward | about a year and a half ago | (#42684635)

as a former barracuda sales rep, the end user pays for contiguous energize update subs from the time of the initial sale. if you don't use the hardware for a year after your initial subs expire you would need to come current - meaning pay for whatever time had lapsed and however long you'd like to say current going forward (1, 3, and 5 year options).

this has to do, primarily, with the hardware refresh program they created; after four years of contiguous subs (energize updates and instant replacement) you can get brand new hardware shipped at no additional fee.

Re:Disreputable (1)

ZorinLynx (31751) | about a year and a half ago | (#42685931)

This is rather ridiculous. The company was pretty much shut down during the time the hardware was not in use. Why should you have to pay for a subscription during a period the hardware wasn't in use?

Imagine if Comcast tried to do this. "Yeah, you're coming back to us after two years but to use the hardware you bought you have to pay two years of back-subscription."

If you want to deny eligibility for a replacement, or base it on years of subscription, rather than ownership, it would make more sense than holding the customer hostage and unable to start using your product! You might as well put up a big sign that says "Please go to our competitor, we don't want your business."

Re:Disreputable (0)

Anonymous Coward | about a year and a half ago | (#42686965)

your is somewhat flawed, but i see what you're saying. however, their system isn't set up for such things and their sales rep could have the fee waived if they agreed to multi year subs going forward. i know, i did it all the time. all it took was my department manager signing off on it (my sales quota was so high i'd do whatever to get money in my coffer). and the devices would still function either way, just wouldn't have the latest firmware or feature sets if they decided to not go forward - there are devices like the link balancer and the load balancer that haven't had firmware updates for years and would continue to work just the same if the end user stopped paying the EU.

Done on purpose for Barracuda purposes (0)

Anonymous Coward | about a year and a half ago | (#42685895)

This was done on purpose so Barracuda would always have access to the box. This was not done by request of the U.S. government. This was a Barracuda "control" mechanism and its good that they were called out on this and now should pay. Oh and Palo Alto must be loving this, Barracuda has a real hard on to beat them for some reason.

That's what you get (0)

Anonymous Coward | about a year and a half ago | (#42686627)

When you get a company run by a bunch of teenage college dropouts who put Linux on commodity hardware, shipped with stock kernels and a bunch of poorly-written scripts, and a firewall that's based on a 3 year old fork of IPCop.... and call it an "enterprise security appliance."

Re: That's what you get (1)

Yert (25874) | about a year and a half ago | (#42688793)

I hate to burst your bubble, but only one of the co-founders doesn't have a degree, according to the company management page -https://www.barracudanetworks.com/company/management

Like a WORM inside your HEAD! (0)

Anonymous Coward | about a year and a half ago | (#42688121)

"Everything we see has some hidden message. A lot of awful messages are coming in under the radar - subliminal consumer messages, all kinds of politically incorrect messages..." - Harold Ramis

"RFID in School Shirts must be trial run"

The trial runs began a LONG time ago!

We're way past that process.

Now we're in the portion of the game where they will try and BRAINWASH us into accepting these things because not everyone BROADCASTS themselves on and offline, so RFID tracking will NEED to be EVERYWHERE, eventually.

RFID is employed in MANY areas of society. RFID is used to TRACK their livestock (humans) in:

* 1. A lot of BANK's ATM & DEBIT cards (easily cloned and tracked)
* 2. Subway, rail, bus, other mass transit passes (all of your daily
activities, where you go, are being recorded in many ways)
* 3. A lot of RETAIL stores' goods
* 4. Corporate slaves (in badges, tags, etc)

and many more ways!

Search the web about RFID and look at the pictures of various RFID devices, they're not all the same in form or function! When you see how tiny some of them are, you'll be amazed! Search for GPS tracking and devices, too along with the more obscured:

- FM Fingerprinting &
- Writeprint
- Stylometry

tracking methods! Let's not forget the LIQUIDS at their disposal which can be sprayed on you and/or your devices/clothing and TRACKED, similar to STASI methods of tracking their livestock (humans).

Visit David Icke's and Prison Planet's discussion forums and VC's discussion forums and READ the threads about RFID and electronic tagging, PARTICIPATE in discussions. SHARE what you know with others!

These TRACKING technologies, on and off the net are being THROWN at us by the MEDIA, just as cigarettes and alcohol have and continue to be, though the former less than they used to. The effort to get you to join FACEBOOK and TWITTER, for example, is EVERYWHERE.

Maybe, you think, you'll join FACEBOOK or TWITTER with an innocent reason, in part perhaps because your family, friends, business parters, college ties want or need you. Then it'll start with one photo of yourself or you in a group, then another, then another, and pretty soon you are telling STRANGERS as far away as NIGERIA with scammers reading and archiving your PERSONAL LIFE and many of these CRIMINALS have the MEANS and MOTIVES to use it how they please.

One family was astonished to discover a photo of theirs was being used in an ADVERTISEMENT (on one of those BILLBOARDS you pass by on the road) in ANOTHER COUNTRY! There are other stories. I've witnessed people posting their photo in social networking sites, only to have others who dis/like them COPY the photo and use it for THEIR photo! It's a complete mess.

The whole GAME stretches much farther than the simple RFID device(s), but how far are you willing to READ about these types of instrusive technologies? If you've heard, Wikileaks exposed corporations selling SPYWARE in software and hardware form to GOVERNMENTS!

You have to wonder, "Will my anti-malware program actually DISCOVER government controlled malware? Or has it been WHITELISTED? or obscured to the point where it cannot be detected? Does it carve a nest for itself in your hardware devices' FIRMWARE, what about your BIOS?

Has your graphics card been poisoned, too?" No anti virus programs scan your FIRMWARE on your devices, especially not your ROUTERS which often contain commercially rubber stamped approval of BACKDOORS for certain organizations which hackers may be exploiting right now! Search on the web for CISCO routers and BACKDOORS. That is one of many examples.

Some struggle for privacy, some argue about it, some take preventitive measures, but those who are wise know:

Privacy is DEAD. You've just never seen the tombstone.

amazing, who's using this crap (0)

Anonymous Coward | about a year and a half ago | (#42690681)

ehh, crappy SA box with backdoors and old technology.

Know what else has exploitable holes? (0)

Anonymous Coward | about a year and a half ago | (#42695153)

Your mom.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?