Severity score has been calculated at 8.8 out of 10

Apr 29, 2015 14:54 GMT  ·  By

Some versions of the Barracuda Web Filter include two vulnerabilities in the SSL Inspection feature that could allow an attacker in a position to intercept secure traffic to decrypt and manipulate the information passing through.

Barracuda Web Filter is touted as a comprehensive enterprise-level security solution for filtering malicious web content, which also offers visibility in SSL-encrypted traffic.

Clients would not be aware of a man-in-the-middle attack

One of the vulnerabilities affecting the product is failure to perform upstream certificate validity during the SSL Inspection process. The glitch is now identified as CVE-2015-0961 and affects all versions starting 7.0 and up to the recently released 8.1.0.005.

The severity of the flaw has been calculated at 8.8, based on the standard Common Vulnerability Scoring System (CVSS).

The second security glitch is tracked as CVE-2015-0962 and it refers to sharing the root certificate that comes with Barracuda Web Filter across multiple installations.

According to a security advisory from the CERT (Computer Emergency Readiness Team) division at Carnegie Mellon University, Barracuda Networks uses only three digital certificates for Web Filter’s SSL Inspection capability, which are shared across multiple machines.

An attacker in the possession of either three certificates (or all of them) can basically access the traffic and collect all information passing through the pipe or impersonate one of the trusted servers, and the target would not be able to notice the malicious activity.

No use of SSL Inspection until new firmware is installed

Both security glitches have been discovered by the manufacturer and reported to CERT. A tech alert was also released to inform of the SSL implementation weaknesses with regards to SSL Inspection component.

Clients using Web Filter product have already been contacted about the potential risks and the mitigation procedure.

Barracuda Networks has released firmware version 8.1.0.005 that solves the two issues. The company advises customers to refrain from using the SSL Inspection feature until the new firmware release is applied. The update is also recommended for devices where this capability is turned off but was used in the past.

The company set up a website that allows organizations to check if their web browser trusts any of the three shared certificates. The page includes instructions on how the certs can be removed from the trust store used by the browser.