Networking Vendors Leave Open Backdoors in Products: Security Experts

Barracuda Networks left administrative accounts active on the routing products it sold, but many companies leave their products open to such attacks, security experts say.

Network and security hardware maker Barracuda Networks revealed last week that it had issued patches for eight of its product families to limit access to administrative accounts that could have allowed attackers to compromise the products.

The backdoor access could have given an attacker complete access to the devices, provided they knew the password—and possibly have stolen an encryption key—to a targeted device, stated Stefan Viehböck, a security researcher with SEC Consult Vulnerability Lab, who found the issues.

Barracuda did limit access to the backdoor features to certain ranges of Internet addresses, but the groups of addresses included a number of servers for other companies and individuals as well. Compromising those servers could have given an attacker the ability to access vulnerable networking hardware.

While the company has taken steps to make access unlikely, customers should be able to turn off such functionality, Viehböck said in a security advisory.

"In secure environments, it is highly undesirable to use appliances with backdoors built into them, even if only the manufacturer can access them," Viehböck stated in an advisory on the issue.

Barracuda confirmed the issues in its own brief advisory on the issue.

"Our research has confirmed that an attacker with specific internal knowledge of the Barracuda appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses," the company stated. "The vulnerabilities are the result of the default firewall configuration and default user accounts on the unit."

The controversy comes as corporations and national governments worry over the security of the networking products manufactured across the globe. In October, the U.S. government recommended that companies not use products from Chinese manufacturers Huawei and ZTE, for fear that the Chinese government might insert a backdoor into the products. In August, researchers presenting at the annual Defcon hacking conference found enough vulnerabilities in Huawei's routers to allow attackers to compromise the devices remotely.

The Chinese companies are not alone. In 2007, a series of vulnerabilities in Cisco's networking operating system would have allowed a knowledgeable attacker backdoor access to any product running the operating system. Last year, researchers found that a common embedded chip had backdoor functionality as well. In fact, one security professional estimated that 20 percent of consumer routers have backdoors as well as half all industrial control systems.

In the latest case, the update published by Barracuda should mitigate the threat of the backdoor quite well, said HD Moore, the founder of the Metasploit Project and chief security officer for vulnerability-management firm Rapid7. By further limiting the Internet address ranges that can access the functionality, the patched devices should be hardened against external attackers.

"The real caveat here is the firewall rule that prevents access from my IP ranges," Moore said. "An attacker would be able to exploit this if they can join the same network segment as the appliance by spoofing the router, but it isn't an imminent danger."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...