You are here

V-077: Barracuda SSL VPN Bug Lets Remote Users Bypass Authentication

January 25, 2013 - 6:00am

Addthis

PROBLEM:

A vulnerability was reported in Barracuda SSL VPN.

PLATFORM:

The vulnerability has been verified to exist in Barracuda SSL VPN version 2.2.2.203

ABSTRACT:

A remote user can gain administrative access to the target system.

REFERENCE LINKS:

SecurityTracker Alert ID:  1028039
Barracuda Networks Advisory

IMPACT ASSESSMENT:

High

DISCUSSION:

A remote user can set a specially crafted Java system property (via 'setSysProp.jsp') to bypass access restrictions and gain access to the API functionality. This can be exploited to download configuration files, download database dumps, shutdown the system, and set new administrative passwords.

IMPACT:

A remote user can gain administrative access to the target system.

SOLUTION:

The vendor recommends update to Security Definition 2.0.5

Addthis