Full Disclosure mailing list archives
SEC Consult SA-20130124-1 :: Authentication bypass in Barracuda SSL VPN
From: SEC Consult Vulnerability Lab <research () sec-consult com>
Date: Thu, 24 Jan 2013 13:02:37 +0100
SEC Consult Vulnerability Lab Security Advisory < 20130124-1 > ======================================================================= title: Unauthenticated setting of Java System Properties authentication bypass product: Barracuda SSL VPN vulnerable version: < Security Definition 2.0.5 fixed version: Security Definition 2.0.5 impact: Critical homepage: https://www.barracudanetworks.com/ found: 2013-01-06 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Securely connecting remote users to files, applications, and secure sites - residing behind the firewall - is vital for worker mobility as well as for business continuity and data loss prevention (DLP). The Barracuda SSL VPN is a powerful plug-and-play appliance purpose-built to provide remote users with secure access to internal network resources. It does this while giving administrators unrivaled insight and tools for managing remote network access." URL: https://www.barracudanetworks.com/products/sslvpn Vulnerability overview/description: ----------------------------------- 1) Unauthenticated setting of Java system properties Unauthenticated users can set an arbitrary Java system property to an arbitrary value. Among other attacks (eg. DoS), this allows an attacker to break the applications security mechanisms. (see 2) 2) Unauthenticated access to critical functions The vulnerability in 1) can be used to bypass access restrictions in order to get access to the 'API' functionality. This enables an unauthenticated attacker to download configuration files and database dumps. Furthermore the system can be shutdown and new admin passwords can be set using this functionality without prior authentication! Proof of concept: ----------------- URLs and other exploit code have been removed from this advisory. A detailed advisory will be released within a month including the omitted information. 1) Unauthenticated setting of Java system properties The following request sets the system property 'foo' to the value 'bar': <URL removed> Affected script: setSysProp.jsp 2) Unauthenticated access to critical functions The following requests disable access restrictions for the 'API' functionality: <URLs removed> Affected script: setSysProp.jsp Then full API access is available without prior authentication. Interesting functions are for instance: * ConfDump <URL removed> Full dump of the /home/bvs/code/firmware/current/sslexplorer/conf/ directory. * SqlDump <URL removed> Full dumps of databases. valid options are: config, explorer_auditing, explorer_configuration and explorer_local. Note: this function is vulnerable to local file disclosure too <URL removed> * Shutdown <URL removed> Shutdown/restart of appliance. * SetSuperUserPassword Allows setting the passwords of users in the superuser group. <URL removed> Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in Barracuda SSL VPN version 2.2.2.203, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2013-01-10: Sending advisory and proof of concept exploit via encrypted channel. 2013-01-14: Vendor confirms receipt and provides BNSEC IDs. 2013-01-14: Vendor sends listing of reported vulnerabilities and release schedule. 2013-01-21: Conference call - discussing implemented solutions. 2013-01-23: Barracuda Networks releases alert & secdef 2013-01-24: SEC Consult releases coordinated security advisory. Solution: --------- Update to Security Definition 2.0.5. Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2013 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SEC Consult SA-20130124-1 :: Authentication bypass in Barracuda SSL VPN SEC Consult Vulnerability Lab (Jan 24)