Vulnerability Lab researchers reported the bug to Barracuda Networks
Security researchers from the Vulnerability Lab have identified a serious security hole that could affect a number of companies which rely on Barracuda products. They’ve discovered a high severity validation filter and exception handling bypass vulnerability in Barracuda’s appliances.According to the experts, the input filter that’s designed to block out persistent input attacks is flawed, exposing all security appliances.
“The bug is located when processing to save the URL path name (DB stored) with attached file. The vulnerability allows the bypassing of the path URL name parse restriction which leads to the execution on a second vulnerable bound module which displays the input as output listing,” the advisory reads.
The vulnerable modules – Account MyResource Display and File Upload – persistently execute the saved URL path (which can be a malicious code).
So how does it work?
“The URL path function saves the context of the input path name (parsed) as client side request via URL. If the request is getting bound with the file, which is getting stored (persistent) and displayed later on the overview listings, the code is getting executed unauthorized out of the security application context (persistent|server-side),” the experts explain.
The researchers say that the flaw can be fixed by parsing the second input request of the “file upload” function and the path URL request.
To demonstrate their findings, the experts have published a proof-of-concept video which shows how the input filter in Barracuda SSL VPN can be bypassed by a local attacker to execute code persistently.
Barracuda Networks has been notified of the issues sometime in May, but so far it’s uncertain when a patch will be made available.
Update. Vulnerability Lab representatives have contacted us to reveal that the security hole has been addressed by Barracuda. More details on the vulnerability, published by the company, are available here.
Here is the proof-of-concept video made available by Vulnerability Lab: