=============================================================================== title: Virtual Appliance Security Review case id: CM-2013-01 product: Barracuda Load Balancer ADC vulnerability type: Multiple severity: Medium to High found: 2013-12-13 by: Cristiano Maruti (@cmaruti) =============================================================================== [EXECUTIVE SUMMARY] While reviewing the virtual appliance, five major security issues were identified: 1) Ability to recover the file system encryption keys via simil cold-boot attack; 2) Off-line super user password reset via physical attack; 3) Hard-coded credential for an interactive unprivileged user; 4) Hard-coded SSH key file that could permit local privilege escalation; 5) Various credentials and private IP address of Barracuda’s internal server. [VULNERABLE VERSIONS] Barracuda Load Balancer - firmware version 5.0.0.015. Probably there are other appliances from the vendor affected by the same problems. [TECHNICAL DETAILS] The full report with technical details about the vulnerabilities I have identified is available at: https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf [VULNERABILITY REFERENCE] The following ID were associated by Barracuda (BNSECID) to handle the vulnerabilities: - BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory dump. - BNSEC-0006000122: VM appliance susceptible to off-line user password reset. - BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory dump. - BNSEC-0006000123: Hard coded weak credentials for product user. - BNSEC-0006000126: Internal system information leakage through VM virtual drive. - BNSEC-0006000125: Privilege escalation using improperly protected SSH key. The following CVE IDs were pre-allocated to track the vulnerabilities: - CVE-2014-8426: Hard coded weak credentials for product user. - CVE-2014-8428: Privilege escalation using improperly protected SSH key. [DISCLOSURE TIMELINE] 2014-01-03 Report submitted to vendor via its bug bounty program. 2014-01-03 Vendor confirmed receiving the report (automatic reply). 2014-01-09 Vendor gave follow-up. 2014-01-13 Vendor provided BNSEC IDs. 2014-01-22 Researcher requested further update about the status of the submission. 2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs. 2014-02-06 Researcher requested for the second time an update about the status of his submission. 2014-02-06 Vendor acknowledged the delay in processing the submission because of internal reorganization of the bounty program. 2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities, still processing the submission and developing appropriate fixes. 2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible for the bounty program. 2014-04-20 Barracuda created fixes for the issues reported but postponed the test due to addressing the Heartbleed vulnerability. 2014-04-23 Researcher received the bounty prize. 2014-05-06 Vendor gave follow-up but no further details about the status of the patching process were disclosed. 2014-06-04 Researcher requested further update about the status of the submission. 2014-10-01 Vendor postponed the fix due to Shellshock vulnerability. 2014-12-05 Vendor escalated the issues due to cleanup delayed too many times; coordinated disclosure date will be on January 20th, 2015. 2015-01-20 Public disclosure. [SOLUTION] Vendor addressed the vulnerabilities identified by CVE-2014-8426 and CVE-2014-8428. The Vendor is currently evaluating ways to mitigate the remaining ones. [REPORT URL] https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf