| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAtZkjQNdDg2gJN2xn1qtCZLcQm3L5QNBssMCt=3G4N+z7hRvA@mail.gmail.com>
Date: Tue, 20 Jan 2015 09:35:10 +0100
From: Cristiano Maruti <cmaruti@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Barracuda Load Balancer ADC VM multiple vulnerabilities
===============================================================================
title: Virtual Appliance Security Review
case id: CM-2013-01
product: Barracuda Load Balancer ADC
vulnerability type: Multiple
severity: Medium to High
found: 2013-12-13
by: Cristiano Maruti (@cmaruti)
===============================================================================
[EXECUTIVE SUMMARY]
While reviewing the virtual appliance, five major security issues were
identified:
1) Ability to recover the file system encryption keys via simil cold-boot
attack;
2) Off-line super user password reset via physical attack;
3) Hard-coded credential for an interactive unprivileged user;
4) Hard-coded SSH key file that could permit local privilege escalation;
5) Various credentials and private IP address of Barracuda’s internal server.
[VULNERABLE VERSIONS]
Barracuda Load Balancer - firmware version 5.0.0.015. Probably there are other
appliances from the vendor affected by the same problems.
[TECHNICAL DETAILS]
The full report with technical details about the vulnerabilities I have
identified is available at:
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
[VULNERABILITY REFERENCE]
The following ID were associated by Barracuda (BNSECID) to handle the
vulnerabilities:
- BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory
dump.
- BNSEC-0006000122: VM appliance susceptible to off-line user password reset.
- BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory
dump.
- BNSEC-0006000123: Hard coded weak credentials for product user.
- BNSEC-0006000126: Internal system information leakage through VM virtual
drive.
- BNSEC-0006000125: Privilege escalation using improperly protected SSH key.
The following CVE IDs were pre-allocated to track the vulnerabilities:
- CVE-2014-8426: Hard coded weak credentials for product user.
- CVE-2014-8428: Privilege escalation using improperly protected SSH key.
[DISCLOSURE TIMELINE]
2014-01-03 Report submitted to vendor via its bug bounty program.
2014-01-03 Vendor confirmed receiving the report (automatic reply).
2014-01-09 Vendor gave follow-up.
2014-01-13 Vendor provided BNSEC IDs.
2014-01-22 Researcher requested further update about the status of the
submission.
2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs.
2014-02-06 Researcher requested for the second time an update about the status
of his submission.
2014-02-06 Vendor acknowledged the delay in processing the submission because
of internal reorganization of the bounty program.
2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities,
still processing the submission and developing appropriate fixes.
2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible
for the bounty program.
2014-04-20 Barracuda created fixes for the issues reported but postponed the
test due to addressing the Heartbleed vulnerability.
2014-04-23 Researcher received the bounty prize.
2014-05-06 Vendor gave follow-up but no further details about the status of the
patching process were disclosed.
2014-06-04 Researcher requested further update about the status of the
submission.
2014-10-01 Vendor postponed the fix due to Shellshock vulnerability.
2014-12-05 Vendor escalated the issues due to cleanup delayed too many times;
coordinated disclosure date will be on January 20th, 2015.
2015-01-20 Public disclosure.
[SOLUTION]
Vendor addressed the vulnerabilities identified by CVE-2014-8426 and
CVE-2014-8428. The Vendor is currently evaluating ways to mitigate the
remaining ones.
[REPORT URL]
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists