Barracuda Firewall up to 2.0.5 SSH Daemon privileges management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.0 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Barracuda Firewall up to 2.0.5 and classified as problematic. Impacted is an unknown function of the component SSH Daemon. The manipulation results in privileges management. The attack can be launched remotely. Moreover, an exploit is present. Applying restrictive firewalling is recommended.
Details
A vulnerability classified as critical has been found in Barracuda Firewall up to 2.0.5 (Firewall Software). Affected is an unknown code of the component SSH Daemon. The manipulation with an unknown input leads to a privileges management vulnerability. CWE is classifying the issue as CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. This is going to have an impact on confidentiality, integrity, and availability.
The weakness was disclosed 01/24/2013 by Stefan Viehböck with SEC Consult Vulnerability Lab as 20130124-0 as not defined advisory (Website). The advisory is shared for download at sec-consult.com. The public release has been coordinated in cooperation with the vendor. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are unknown but a public exploit is available. The MITRE ATT&CK project declares the attack technique as T1068. An SSH daemon runs on the appliance, but network filtering (iptables) is used to only allow access from whitelisted IP ranges (private and public). The public ranges include servers run by Barracuda Networks Inc. But also servers from other, unaffiliated entities. An /etc/sysconfig/iptables file shows which rules are in place.
A public exploit has been developed by Stefan Viehböck and been published immediately after the advisory. The exploit is shared for download at sec-consult.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 56 days. During that time the estimated underground price was around $0-$5k.
It is possible to mitigate the problem by applying the configuration setting Disable sshd (expert option).It is possible to mitigate the weakness by firewalling tcp/22 (ssh). The problem might be mitigated by replacing the product with Checkpoint Firewall-1, Juniper, Cisco PIX, ASA or … as an alternative. The best possible mitigation is suggested to be applying a restrictive firewalling. A possible mitigation has been published immediately after the disclosure of the vulnerability.
Further details are available at krebsonsecurity.com. The entry VDB-7451 is pretty similar. Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.barracuda.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.8VulDB Meta Temp Score: 9.0
VulDB Base Score: 9.8
VulDB Temp Score: 9.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Privileges managementCWE: CWE-269 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: Stefan Viehböck
Download: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: FirewallStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Config: Disable sshd (expert option)
Firewalling: 🔍
Alternative: Checkpoint Firewall-1/Juniper/Cisco PIX/ASA/…
Timeline
11/29/2012 🔍01/23/2013 🔍
01/24/2013 🔍
01/24/2013 🔍
01/24/2013 🔍
01/24/2013 🔍
08/09/2017 🔍
Sources
Vendor: barracuda.comAdvisory: 20130124-0
Researcher: Stefan Viehböck
Organization: SEC Consult Vulnerability Lab
Status: Not defined
Confirmation: 🔍
Coordinated: 🔍
GCVE (VulDB): GCVE-100-7452
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 01/24/2013 20:05Updated: 08/09/2017 14:08
Changes: 01/24/2013 20:05 (64), 08/09/2017 14:08 (2)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.