var-201708-0293
Vulnerability from variot
Privilege escalation vulnerability in Barracuda Load Balancer 5.0.0.015 via the use of an improperly protected SSH key. Barracuda Load Balancer Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The controller provides protection against intrusion and attack events, while optimizing application load and providing strong performance support. =============================================================================== title: Virtual Appliance Security Review case id: CM-2013-01 product: Barracuda Load Balancer ADC vulnerability type: Multiple severity: Medium to High found: 2013-12-13 by: Cristiano Maruti (@cmaruti) ===============================================================================
[EXECUTIVE SUMMARY]
While reviewing the virtual appliance, five major security issues were identified: 1) Ability to recover the file system encryption keys via simil cold-boot attack; 2) Off-line super user password reset via physical attack; 3) Hard-coded credential for an interactive unprivileged user; 4) Hard-coded SSH key file that could permit local privilege escalation; 5) Various credentials and private IP address of Barracuda’s internal server.
[VULNERABLE VERSIONS]
Barracuda Load Balancer - firmware version 5.0.0.015. Probably there are other appliances from the vendor affected by the same problems.
[TECHNICAL DETAILS]
The full report with technical details about the vulnerabilities I have identified is available at: https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
[VULNERABILITY REFERENCE]
The following ID were associated by Barracuda (BNSECID) to handle the vulnerabilities: - BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory dump. - BNSEC-0006000122: VM appliance susceptible to off-line user password reset. - BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory dump. - BNSEC-0006000123: Hard coded weak credentials for product user. - BNSEC-0006000126: Internal system information leakage through VM virtual drive.
The following CVE IDs were pre-allocated to track the vulnerabilities: - CVE-2014-8426: Hard coded weak credentials for product user.
[DISCLOSURE TIMELINE]
2014-01-03 Report submitted to vendor via its bug bounty program. 2014-01-03 Vendor confirmed receiving the report (automatic reply). 2014-01-09 Vendor gave follow-up. 2014-01-13 Vendor provided BNSEC IDs. 2014-01-22 Researcher requested further update about the status of the submission. 2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs. 2014-02-06 Researcher requested for the second time an update about the status of his submission. 2014-02-06 Vendor acknowledged the delay in processing the submission because of internal reorganization of the bounty program. 2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities, still processing the submission and developing appropriate fixes. 2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible for the bounty program. 2014-04-20 Barracuda created fixes for the issues reported but postponed the test due to addressing the Heartbleed vulnerability. 2014-04-23 Researcher received the bounty prize. 2014-05-06 Vendor gave follow-up but no further details about the status of the patching process were disclosed. 2014-06-04 Researcher requested further update about the status of the submission. 2014-10-01 Vendor postponed the fix due to Shellshock vulnerability. 2014-12-05 Vendor escalated the issues due to cleanup delayed too many times; coordinated disclosure date will be on January 20th, 2015. 2015-01-20 Public disclosure.
[SOLUTION]
Vendor addressed the vulnerabilities identified by CVE-2014-8426 and CVE-2014-8428. The Vendor is currently evaluating ways to mitigate the remaining ones.
[REPORT URL]
https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201708-0293",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "load balancer",
"scope": "eq",
"trust": 1.6,
"vendor": "barracuda",
"version": "5.0.0.015"
},
{
"model": "load balancer adc",
"scope": "eq",
"trust": 0.8,
"vendor": "barracuda",
"version": "5.0.0.015"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
},
{
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:barracuda_networks:load_balancer",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cristiano Maruti",
"sources": [
{
"db": "PACKETSTORM",
"id": "130027"
}
],
"trust": 0.1
},
"cve": "CVE-2014-8428",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2014-8428",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-76373",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2014-8428",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-8428",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "NVD",
"id": "CVE-2014-8428",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNNVD",
"id": "CNNVD-201708-1191",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-76373",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-76373"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
},
{
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Privilege escalation vulnerability in Barracuda Load Balancer 5.0.0.015 via the use of an improperly protected SSH key. Barracuda Load Balancer Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The controller provides protection against intrusion and attack events, while optimizing application load and providing strong performance support. ===============================================================================\n title: Virtual Appliance Security Review\n case id: CM-2013-01\n product: Barracuda Load Balancer ADC\n vulnerability type: Multiple\n severity: Medium to High\n found: 2013-12-13\n by: Cristiano Maruti (@cmaruti)\n===============================================================================\n\n[EXECUTIVE SUMMARY]\n\nWhile reviewing the virtual appliance, five major security issues were\nidentified:\n1) Ability to recover the file system encryption keys via simil cold-boot\n attack;\n2) Off-line super user password reset via physical attack;\n3) Hard-coded credential for an interactive unprivileged user;\n4) Hard-coded SSH key file that could permit local privilege escalation;\n5) Various credentials and private IP address of Barracuda\u2019s internal server. \n\n[VULNERABLE VERSIONS]\n\nBarracuda Load Balancer - firmware version 5.0.0.015. Probably there are other\nappliances from the vendor affected by the same problems. \n\n[TECHNICAL DETAILS]\n\nThe full report with technical details about the vulnerabilities I have\nidentified is available at:\nhttps://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf\n\n[VULNERABILITY REFERENCE]\n\nThe following ID were associated by Barracuda (BNSECID) to handle the\nvulnerabilities:\n- BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory\n dump. \n- BNSEC-0006000122: VM appliance susceptible to off-line user password reset. \n- BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory\n dump. \n- BNSEC-0006000123: Hard coded weak credentials for product user. \n- BNSEC-0006000126: Internal system information leakage through VM virtual\n drive. \n\nThe following CVE IDs were pre-allocated to track the vulnerabilities:\n- CVE-2014-8426: Hard coded weak credentials for product user. \n\n[DISCLOSURE TIMELINE]\n\n2014-01-03 Report submitted to vendor via its bug bounty program. \n2014-01-03 Vendor confirmed receiving the report (automatic reply). \n2014-01-09 Vendor gave follow-up. \n2014-01-13 Vendor provided BNSEC IDs. \n2014-01-22 Researcher requested further update about the status of the\n submission. \n2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs. \n2014-02-06 Researcher requested for the second time an update about the status\n of his submission. \n2014-02-06 Vendor acknowledged the delay in processing the submission because\n of internal reorganization of the bounty program. \n2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities,\n still processing the submission and developing appropriate fixes. \n2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible\n for the bounty program. \n2014-04-20 Barracuda created fixes for the issues reported but postponed the\n test due to addressing the Heartbleed vulnerability. \n2014-04-23 Researcher received the bounty prize. \n2014-05-06 Vendor gave follow-up but no further details about the status of the\n patching process were disclosed. \n2014-06-04 Researcher requested further update about the status of the\n submission. \n2014-10-01 Vendor postponed the fix due to Shellshock vulnerability. \n2014-12-05 Vendor escalated the issues due to cleanup delayed too many times;\n coordinated disclosure date will be on January 20th, 2015. \n2015-01-20 Public disclosure. \n\n[SOLUTION]\n\nVendor addressed the vulnerabilities identified by CVE-2014-8426 and\nCVE-2014-8428. The Vendor is currently evaluating ways to mitigate the\nremaining ones. \n\n[REPORT URL]\n\nhttps://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-8428"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "VULHUB",
"id": "VHN-76373"
},
{
"db": "PACKETSTORM",
"id": "130027"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-8428",
"trust": 2.6
},
{
"db": "PACKETSTORM",
"id": "130027",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008349",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201708-1191",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-76373",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-76373"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "PACKETSTORM",
"id": "130027"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
},
{
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"id": "VAR-201708-0293",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-76373"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:34:34.793000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Barracuda Load Balancer ADC",
"trust": 0.8,
"url": "https://www.barracuda.com/products/loadbalancer?L=jp"
},
{
"title": "Barracuda Load Balancer Fixes for permission permissions and access control vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74319"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-76373"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://packetstormsecurity.com/files/130027/barracuda-load-balancer-adc-key-recovery-password-reset.html"
},
{
"trust": 1.7,
"url": "http://seclists.org/fulldisclosure/2015/jan/76"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8428"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8428"
},
{
"trust": 0.1,
"url": "https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-8426"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-76373"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "PACKETSTORM",
"id": "130027"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
},
{
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-76373"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"db": "PACKETSTORM",
"id": "130027"
},
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
},
{
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-28T00:00:00",
"db": "VULHUB",
"id": "VHN-76373"
},
{
"date": "2017-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"date": "2015-01-20T23:24:28",
"db": "PACKETSTORM",
"id": "130027"
},
{
"date": "2017-08-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201708-1191"
},
{
"date": "2017-08-28T15:29:00.500000",
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-09-01T00:00:00",
"db": "VULHUB",
"id": "VHN-76373"
},
{
"date": "2017-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-008349"
},
{
"date": "2017-08-30T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201708-1191"
},
{
"date": "2024-11-21T02:19:04.187000",
"db": "NVD",
"id": "CVE-2014-8428"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Barracuda Load Balancer Vulnerabilities related to authorization, permissions, and access control",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-008349"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201708-1191"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.