When you buy a security appliance, the last thing you expect is to have a backdoor baked into the product intentionally. But that’s exactly what’s been discovered in a wide variety of Barracuda’s network appliance products.
A security researcher with SEC Consult recently discovered that these appliances could be accessed by accounts created by Barracuda, from a range of IP addresses (including hundreds outside Barracuda’s control), without having to provide authentication. According to Barracuda, these accounts are intended for use by remote technical support. They have released an update for the affected appliances that tightens the security of most of these support accounts, but it does not remove or secure them entirely.
These remote-support accounts can still be accessed by IP addresses in ranges not entirely controlled by Barracuda, which also puts these IP addresses at additional risk of hacking by those seeking to gain access to these vulnerable appliances. It is advisable for users of affected Barracuda appliances to update their security definitions to v2.0.5 as soon as possible. Some people are also recommending to block port 22 on the firewall, though many will find this measure problematic.