A variety of firewall, VPN, and spam filtering gear sold by Barracuda Networks contains undocumented backdoor accounts that allow people to remotely log in and access sensitive information, researchers with an Austrian security firm have warned.
The SSH, or secure shell, backdoor is hardcoded into "multiple Barracuda Networks products" and can be used to gain shell access to vulnerable appliances, according to an advisory published Thursday by SEC Consult Vulnerability Lab.
"This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog," the advisory states. The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username "product" with no Update: a "very weak" password to log in and gain access to the device's MySQL database. While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda.