SEC Consult Vulnerability Lab Security Advisory < 20130124-1 > ======================================================================= title: Unauthenticated setting of Java System Properties authentication bypass product: Barracuda SSL VPN vulnerable version: < Security Definition 2.0.5 fixed version: Security Definition 2.0.5 impact: Critical homepage: https://www.barracudanetworks.com/ found: 2013-01-06 by: S. Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Securely connecting remote users to files, applications, and secure sites - residing behind the firewall - is vital for worker mobility as well as for business continuity and data loss prevention (DLP). The Barracuda SSL VPN is a powerful plug-and-play appliance purpose-built to provide remote users with secure access to internal network resources. It does this while giving administrators unrivaled insight and tools for managing remote network access." URL: https://www.barracudanetworks.com/products/sslvpn Vulnerability overview/description: ----------------------------------- 1) Unauthenticated setting of Java system properties Unauthenticated users can set an arbitrary Java system property to an arbitrary value. Among other attacks (eg. DoS), this allows an attacker to break the applications security mechanisms. (see 2) 2) Unauthenticated access to critical functions The vulnerability in 1) can be used to bypass access restrictions in order to get access to the 'API' functionality. This enables an unauthenticated attacker to download configuration files and database dumps. Furthermore the system can be shutdown and new admin passwords can be set using this functionality without prior authentication! Proof of concept: ----------------- URLs and other exploit code have been removed from this advisory. A detailed advisory will be released within a month including the omitted information. 1) Unauthenticated setting of Java system properties The following request sets the system property 'foo' to the value 'bar': Affected script: setSysProp.jsp 2) Unauthenticated access to critical functions The following requests disable access restrictions for the 'API' functionality: Affected script: setSysProp.jsp Then full API access is available without prior authentication. Interesting functions are for instance: * ConfDump Full dump of the /home/bvs/code/firmware/current/sslexplorer/conf/ directory. * SqlDump Full dumps of databases. valid options are: config, explorer_auditing, explorer_configuration and explorer_local. Note: this function is vulnerable to local file disclosure too * Shutdown Shutdown/restart of appliance. * SetSuperUserPassword Allows setting the passwords of users in the superuser group. Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in Barracuda SSL VPN version 2.2.2.203, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2013-01-10: Sending advisory and proof of concept exploit via encrypted channel. 2013-01-14: Vendor confirms receipt and provides BNSEC IDs. 2013-01-14: Vendor sends listing of reported vulnerabilities and release schedule. 2013-01-21: Conference call - discussing implemented solutions. 2013-01-23: Barracuda Networks releases alert & secdef 2013-01-24: SEC Consult releases coordinated security advisory. Solution: --------- Update to Security Definition 2.0.5. Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF S. Viehböck / @2013