Executive Summary

Summary
Title Barracuda Web Filter insecurely performs SSL inspection
Informations
Name VU#534407 First vendor Publication 2015-04-28
Vendor VU-CERT Last vendor Modification 2015-04-28
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#534407

Barracuda Web Filter insecurely performs SSL inspection

Original Release date: 28 Apr 2015 | Last revised: 28 Apr 2015

Overview

Barracuda Web Filter prior to version 8.1.0.005 does not properly check upstream certificate validity when performing SSL inspection, and delivers one of three default root CA certificates across multiple machines for SSL inspection.

Description

According to Barracuda Networks, the Barracuda Web Filter is a "comprehensive solution for web security and management" with many features, including the ability to provide "visibility into SSL-encrypted traffic". This SSL inspection feature of the Barracuda Web Filter is vulnerable to multiple issues.

Incomplete validation of upstream certificate validity - CVE-2015-0961

Barracuda Web Filter versions between 7.0 and 8.1.0.005 do not check upstream certificate validity when performing SSL inspection.

Shared root CA certificate - CVE-2015-0962

Barracuda Web Filter versions between 7.0 and 8.1.0.005 ship one of three different default certificates that are shared across multiple machine for use in the SSL Inspection feature.


  • Users who have configured SSL Inspection on a Barracuda Web Filter may be affected. Beginning in version 8.1.0.005, Barracuda Web Filter verifies certificate validity and generates a unique default certificate for each appliance.

    Barracuda Networks has released a security advisory with more details. For more information on the impact of these issues on SSL inspection, please see Will Dormann's CERT/CC blog post on SSL Inspection.

    The CVSS score below is based on CVE-2015-0962.

  • Impact

    The impact of either CVE-2015-0961 or CVE-2015-0962 may allow an attacker to successfully achieve a man-in-the-middle (MITM) attack without the client knowing it.

    Solution

    Update the firmware

    Barracuda Networks has released firmware version 8.1.0.005 on April 16th, 2015 to address these issues. Affected users should upgrade to firmware 8.1.0.005 or later as soon as possible.

    Users who have deployed an affected service using the default certificate supplied with the appliance will need to deploy a new client certificate to their clients and remove the previously deployed certificate. Instructions for deploying and removing client certificates are available at http://techlib.barracuda.com/BWF/UpdateSSLCerts.

    Check that old shared certificates are removed

    Barracuda has also provided https://certcheck.barracudalabs.com, a site that will show users if their browser trusts any of the shared default certificates and includes instructions for removing the certificates from the browser trust store if necessary.

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    Barracuda NetworksAffected-21 Apr 2015
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)

    GroupScoreVector
    Base8.8AV:N/AC:M/Au:N/C:C/I:C/A:N
    Temporal6.9E:POC/RL:OF/RC:C
    Environmental5.2CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

    References

    • http://cuda.co/15076
    • http://techlib.barracuda.com/BWF/UpdateSSLCerts
    • https://certcheck.barracudalabs.com
    • https://www.cert.org/blogs/certcc/post.cfm?EntryID=221

    Credit

    Thanks to Barracuda Networks for promptly addressing these issues and contacting the CERT/CC to coordinate disclosure.

    This document was written by Garret Wassermann.

    Other Information

    • CVE IDs:CVE-2015-0961CVE-2015-0962
    • Date Public:28 Apr 2015
    • Date First Published:28 Apr 2015
    • Date Last Updated:28 Apr 2015
    • Document Revision:27

    Feedback

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Original Source

    Url : http://www.kb.cert.org/vuls/id/534407

    CWE : Common Weakness Enumeration

    % Id Name
    100 % CWE-18 Source Code

    CPE : Common Platform Enumeration

    TypeDescriptionCount
    Application 6

    Alert History

    If you want to see full details history, please login or register.
    0
    1
    2
    3
    4
    Date Informations
    2016-07-21 12:10:05
    • Multiple Updates
    2016-04-27 07:03:56
    • Multiple Updates
    2015-05-27 17:29:38
    • Multiple Updates
    2015-05-26 05:29:10
    • Multiple Updates
    2015-04-28 21:25:23
    • First insertion