Barracuda SSL VPN Authentication Bypass

CVE Category Price Severity
CVE-2020-25208 CWE-287 Not specified High
Author Risk Exploitation Type Date
David Yesland of Rhino Security Labs High Remote 2013-01-25
Not provided in the link 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

SEC Consult Vulnerability Lab Security Advisory < 20130124-1 >
              title: Unauthenticated setting of Java System Properties
                     authentication bypass
            product: Barracuda SSL VPN
 vulnerable version: < Security Definition 2.0.5
      fixed version: Security Definition 2.0.5
             impact: Critical
              found: 2013-01-06
                 by: S. Viehback
                     SEC Consult Vulnerability Lab

Vendor/product description:
"Securely connecting remote users to files, applications, and secure
sites - residing behind the firewall - is vital for worker mobility
as well as for business continuity and data loss prevention (DLP).
The Barracuda SSL VPN is a powerful plug-and-play appliance
purpose-built to provide remote users with secure access to internal
network resources. It does this while giving administrators unrivaled
insight and tools for managing remote network access."


Vulnerability overview/description:
1) Unauthenticated setting of Java system properties
Unauthenticated users can set an arbitrary Java system property to an
arbitrary value. Among other attacks (eg. DoS), this allows an
attacker to break the applications security mechanisms. (see 2)

2) Unauthenticated access to critical functions
The vulnerability in 1) can be used to bypass access restrictions
in order to get access to the 'API' functionality. This enables an
unauthenticated attacker to download configuration files and database
dumps. Furthermore the system can be shutdown and new admin passwords
can be set using this functionality without prior authentication!

Proof of concept:
URLs and other exploit code have been removed from this advisory. A detailed
advisory will be released within a month including the omitted information.

1) Unauthenticated setting of Java system properties
The following request sets the system property 'foo' to the value 'bar':
<URL removed>
Affected script: setSysProp.jsp

2) Unauthenticated access to critical functions
The following requests disable access restrictions for the 'API'

<URLs removed>
Affected script: setSysProp.jsp

Then full API access is available without prior authentication.
Interesting functions are for instance:

* ConfDump
<URL removed>
Full dump of the /home/bvs/code/firmware/current/sslexplorer/conf/

* SqlDump
<URL removed>
Full dumps of databases. valid options are: config,
explorer_auditing, explorer_configuration and explorer_local.

Note: this function is vulnerable to local file disclosure too
<URL removed>

* Shutdown
<URL removed>
Shutdown/restart of appliance.

* SetSuperUserPassword
Allows setting the passwords of users in the superuser group.

<URL removed>

Vulnerable / tested versions:
The vulnerability has been verified to exist in Barracuda SSL VPN
version, which was the most recent version at the time of 

Vendor contact timeline:
2013-01-10: Sending advisory and proof of concept exploit via encrypted
2013-01-14: Vendor confirms receipt and provides BNSEC IDs.
2013-01-14: Vendor sends listing of reported vulnerabilities and release 
2013-01-21: Conference call - discussing implemented solutions.
2013-01-23: Barracuda Networks releases alert & secdef
2013-01-24: SEC Consult releases coordinated security advisory.

Update to Security Definition 2.0.5.

No workaround available.

Advisory URL:

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

EOF S. Viehback / @2013

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.