This story was updated at 9:45 a.m. Friday (Jan. 25) to add comment from Barracuda Networks.
Networking and security devices sold by Barracuda Networks have several built-in backdoors, or secret administrative accounts, which may have been there since the company was founded 10 years ago.
That's the upshot of a new advisory from Vienna-based information-security company SEC Consult, which contacted Barracuda in November about its discovery and released the news today (Jan. 24), one day after Barracuda pushed out a partial patch.
Attackers aware of the backdoors could have hijacked security software and hardware at any of Barracuda's 150,000 corporate clients worldwide, leading to unimaginable amounts of data theft. It's not known whether the backdoors were ever exploited.
The backdoors allow remote administrator access to at least seven different types of Barracuda devices, presumably for purposes of tech support.
'Product'? Come right on in
But the security on the backdoors may have been improper. While the backdoors permitted logins only from certain ranges of Internet Protocol addresses occupied by Barracuda, dozens of other organizations also occupy IP addresses in those ranges.
"The public ranges include servers run by Barracuda Networks, Inc., but also servers from other, unaffiliated entities — all of whom can access SSH [secure shell protocol] on all affected Barracuda Networks appliances exposed to the Internet," said the SEC Consult advisory, written by researcher Stefan Viehböck.
Even worse, one backdoor account with the username "product" allowed entry without a password.
"It was confirmed that this user can access the MySQL database (root@localhost with no password) eg. to add new users with administrative privileges to the appliance configuration," wrote Viehböck.
Viehböck added that internal timestamps and software versions "suggest that these rules might have been in place on Barracuda Networks appliances since 2003," when the company was founded.
Not giving away all the marbles
Barracuda's security definition 2.0.5, pushed out yesterday (Jan. 23), only partly fixes the problem, Viehböck wrote. It eliminated seven of the backdoor accounts, but left three.
"According to Barracuda Networks, these accounts are essential for customer support and will not be removed," Viehböck wrote.
"In secure environments, it is highly undesirable to use appliances with backdoors built into them," he added, "even if only the manufacturer can access them."
Barracuda's patch also fixed a related security hole found by SEC Consult that affected one product line's implementation of Java software.
Barracuda Networks, located in Campbell, Calif., makes load balancers, firewalls, filters and other devices related to corporate networking and security.
Its devices and yearly support subscriptions range in price from several hundred dollars to more than $100,000 each.
Barracuda Networks representatives did not immediately return requests for comment.
UPDATE: "It is true that SEC Consult published a report on Barracuda exposing some vulnerabilities associated with our backend support mechanisms," a Barracuda spokeswoman confirmed. "In collaboration with them, we took a number of measures to mitigate those vulnerabilities for our existing customers."
"We are not aware of any actual examples of our customer support tools being used for malicious purposes," she added. "It is important to note [that] our network firewalls (Barracuda NG Firewall, Barracuda Firewall) and Barracuda Backup were not impacted by this."
"Customers who had the affected appliances behind a network firewall (as we have always recommended to our customers) — whether that be a Barracuda network firewall or another vendor's — were not impacted by this."