Pierluigi Paganini July 24, 2013

Security expert Ebrahim Hegazy has found a Password disclosure vulnerability in Barracuda update servers which allows to gain access to employee credentials.

The cyber security Analyst @Qcert Ebrahim Hegazy(@Zigoo0) has found a Password disclosure vulnerability in one of Barracuda update servers which allows the attackers to gain access to all its employee data.

When the system administrator needs to protect a directory with a second authentication layer (basic authentication) besides the back-end authentication,  he can do it with multiple methods, one of that methods is through the configuration of  .htaccess and .htpasswd files. A proper configuration could  prevent a visitor to surf reserved area (e.g /Cpanel or /admin), in this scenario a popup  proposes to the user asking to enter authentication credentials, that credentials are saved inside .htpasswd file as:

Username:Password

In normal scenarios the .htpasswd file should be stored outside the web directory (e.g. C:\AnyName\.htpasswd)
But in Barracuda issue the file was stored inside the admin panel directory and was accessible by anyone with serious repercussion.

If the user directly accesses the following link

http://updates.cudasvc.com/admin/.htpasswd

he will be able to disclose the passwords of all Barracuda Network Employees such as:
Support, Sales, UK Branch employees, Update server users, Engineers and more of those who have access to the basic authentication layer!

The Password disclosure vulnerability is exacerbated by the fact that the passwords were saved as a clear text, following the screen shots before the vulnerability got patched

The vulnerability has been reported by Ebrahim Hegazy to Barracuda, that already fixed it, despite it is not eligible for the bounty. Curious that Barracuda considered “Password disclosure vulnerability” out of scope vulnerability, IMHO I consider it a critical flaw.  Ebrahim Hegazy (https://twitter.com/Zigoo0) has found and reported the vulnerability to Barracuda as a participant in the Barracuda bug bounty program.

I consider Ebrahim Hegazy a very skilled professional that is doing an excellent job in security field, let’s remind that in the last months he already discovered flaws in DropBox, Avira web site and Yahoo! … What is the next?

What will happen is those smart guys will start to sell the knowledge of vulnerabilities in the underground?

Pierluigi Paganini

(Security Affairs – Password disclosure vulnerability, hacking)

UPDATE 2013-07-27

Barracuda specified following inaccurancies:

• The file that was exposed contained login and password information used to protect an internal web application more than 3 years ago. The account information and hashed passwords were specific to an internal application. Specifically, the hashed passwords in the file are not shared with any other aspect of our corporate systems, which regularly implement a password strength and frequency of change requirement.

• The file did not contain cleartext passwords.  It contained usernames and hashed passwords.
•  The file did not contain passwords for all of Barracuda’s employees. It was a subset of less than 100 former or current employees.