===============================================================================
                  title: Virtual Appliance Security Review
                case id: CM-2013-01
                product: Barracuda Load Balancer ADC
     vulnerability type: Multiple
               severity: Medium to High
                  found: 2013-12-13
                     by: Cristiano Maruti (@cmaruti)
===============================================================================

[EXECUTIVE SUMMARY]

While reviewing the virtual appliance, five major security issues were
identified:
1) Ability to recover the file system encryption keys via simil cold-boot
   attack;
2) Off-line super user password reset via physical attack;
3) Hard-coded credential for an interactive unprivileged user;
4) Hard-coded SSH key file that could permit local privilege escalation;
5) Various credentials and private IP address of Barracuda’s internal server.

[VULNERABLE VERSIONS]

Barracuda Load Balancer - firmware version 5.0.0.015. Probably there are other
appliances from the vendor affected by the same problems.

[TECHNICAL DETAILS]

The full report with technical details about the vulnerabilities I have
identified is available at:
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf

[VULNERABILITY REFERENCE]

The following ID were associated by Barracuda (BNSECID) to handle the
vulnerabilities:
- BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory
  dump.
- BNSEC-0006000122: VM appliance susceptible to off-line user password reset.
- BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory
  dump.
- BNSEC-0006000123: Hard coded weak credentials for product user.
- BNSEC-0006000126: Internal system information leakage through VM virtual
  drive.
- BNSEC-0006000125: Privilege escalation using improperly protected SSH key.

The following CVE IDs were pre-allocated to track the vulnerabilities:
- CVE-2014-8426: Hard coded weak credentials for product user.
- CVE-2014-8428: Privilege escalation using improperly protected SSH key.

[DISCLOSURE TIMELINE]

2014-01-03 Report submitted to vendor via its bug bounty program.
2014-01-03 Vendor confirmed receiving the report (automatic reply).
2014-01-09 Vendor gave follow-up.
2014-01-13 Vendor provided BNSEC IDs.
2014-01-22 Researcher requested further update about the status of the
           submission.
2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs.
2014-02-06 Researcher requested for the second  time an update about the status
           of his submission.
2014-02-06 Vendor acknowledged the delay in processing the submission because
           of internal reorganization  of the bounty program.
2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities,
           still processing the submission and developing appropriate fixes.
2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible
           for the bounty program.
2014-04-20 Barracuda created fixes for the issues reported but postponed the
           test due to addressing the Heartbleed vulnerability.
2014-04-23 Researcher received the bounty prize.
2014-05-06 Vendor gave follow-up but no further details about the status of the
           patching process were disclosed.
2014-06-04 Researcher requested further update about the status of the
           submission.
2014-10-01 Vendor postponed the fix due to Shellshock vulnerability.
2014-12-05 Vendor escalated the issues due to cleanup delayed too many times;
           coordinated disclosure date will be on January 20th, 2015.
2015-01-20 Public disclosure.

[SOLUTION]

Vendor addressed the vulnerabilities identified by CVE-2014-8426 and
CVE-2014-8428. The Vendor is currently evaluating ways to mitigate the
remaining ones.

[REPORT URL]

https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf