Details of VAR-200608-0447

ID

VAR-200608-0447

CVE

CVE-2006-4081

TITLE

Barracuda Spam Firewall contains hardcoded default login credentials

Trust: 0.8

sources: CERT/CC: VU#199348

DESCRIPTION

preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote attackers to execute commands via shell metacharacters ("|" pipe symbol) in the file parameter. NOTE: the attack can be extended to arbitrary commands by the presence of CVE-2006-4000. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Barracuda Spam Firewall (BSF) of preview_email.cgi Contains a command execution vulnerability. Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue. A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application. Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues. Although the guest account has only limited access, the following information can be obtained: * System configuration, including IP address, administrator IP ACL; * Email message log (but not the content of the message); * Spam/antivirus definition version information and system firmware version. Although this script requires a valid user login, this restriction can be easily bypassed by combining the guest password vulnerability described above. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2006-4081 // CERT/CC: VU#199348 // JVNDB: JVNDB-2006-001067 // BID: 19276 // VULHUB: VHN-20189 // PACKETSTORM: 48752

AFFECTED PRODUCTS

vendor:	barracuda	model:	spam firewall	scope:	eq	version:	3.3.01.001	Trust: 1.6
vendor:	barracuda	model:	spam firewall	scope:	eq	version:	3.3.03.053	Trust: 1.6
vendor:	barracuda	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	barracuda	model:	spam firewall	scope:	eq	version:	3.3.01.001 to 3.3.03.053	Trust: 0.8
vendor:	barracuda	model:	networks barracuda spam firewall	scope:	eq	version:	3.3.03.055	Trust: 0.3
vendor:	barracuda	model:	networks barracuda spam firewall	scope:	eq	version:	3.3.03.053	Trust: 0.3
vendor:	barracuda	model:	networks barracuda spam firewall	scope:	eq	version:	3.3.01.001	Trust: 0.3

sources: CERT/CC: VU#199348 // BID: 19276 // JVNDB: JVNDB-2006-001067 // CNNVD: CNNVD-200608-194 // NVD: CVE-2006-4081

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-4081
value:	HIGH
Trust: 1.0
CARNEGIE MELLON:	VU#199348
value:	2.57
Trust: 0.8
NVD:	CVE-2006-4081
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200608-194
value:	HIGH
Trust: 0.6
VULHUB:	VHN-20189
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2006-4081
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-20189
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#199348 // VULHUB: VHN-20189 // JVNDB: JVNDB-2006-001067 // CNNVD: CNNVD-200608-194 // NVD: CVE-2006-4081

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2006-4081

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200608-194

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200608-194

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-001067

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-20189

PATCH

title:

Top Page

url:

http://www.barracudanetworks.com/ns/

Trust: 0.8

sources: JVNDB: JVNDB-2006-001067

EXTERNAL IDS

db:	NVD	id:	CVE-2006-4081	Trust: 2.8
db:	SECUNIA	id:	21258	Trust: 2.6
db:	BID	id:	19276	Trust: 2.0
db:	SREASON	id:	1363	Trust: 1.7
db:	CERT/CC	id:	VU#199348	Trust: 0.8
db:	JVNDB	id:	JVNDB-2006-001067	Trust: 0.8
db:	CNNVD	id:	CNNVD-200608-194	Trust: 0.7
db:	BUGTRAQ	id:	20060804 BARRACUDA SPAM FIREWALL: ADMINISTRATOR LEVEL REMOTE COMMAND EXECUTION [ID-20060804-01]	Trust: 0.6
db:	BUGTRAQ	id:	20060803 RE: BARRACUDA VULNERABILITY: ARBITRARY FILE DISCLOSURE [NNL-20060801-02]	Trust: 0.6
db:	XF	id:	28234	Trust: 0.6
db:	FULLDISC	id:	20060804 BARRACUDA SPAM FIREWALL: ADMINISTRATOR LEVEL REMOTE COMMAND EXECUTION [ID-20060804-01]	Trust: 0.6
db:	EXPLOIT-DB	id:	2145	Trust: 0.1
db:	EXPLOIT-DB	id:	2136	Trust: 0.1
db:	SEEBUG	id:	SSVID-63798	Trust: 0.1
db:	VULHUB	id:	VHN-20189	Trust: 0.1
db:	PACKETSTORM	id:	48752	Trust: 0.1

sources: CERT/CC: VU#199348 // VULHUB: VHN-20189 // BID: 19276 // JVNDB: JVNDB-2006-001067 // PACKETSTORM: 48752 // CNNVD: CNNVD-200608-194 // NVD: CVE-2006-4081

REFERENCES

url:	http://www.securityfocus.com/bid/19276	Trust: 1.7
url:	http://archives.neohapsis.com/archives/fulldisclosure/2006-08/0110.html	Trust: 1.7
url:	http://secunia.com/advisories/21258	Trust: 1.7
url:	http://securityreason.com/securityalert/1363	Trust: 1.7
url:	http://www.barracudanetworks.com/ns/products/spam_overview.php	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/442132/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/442249/100/0/threaded	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/28234	Trust: 1.1
url:	http://secunia.com/advisories/21258/	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-4081	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-4081	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/442249/100/0/threaded	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/442132/100/0/threaded	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/28234	Trust: 0.6
url:	https://lists.grok.org.uk/mailman/listinfo/full-disclosure	Trust: 0.3
url:	/archive/1/442249	Trust: 0.3
url:	/archive/1/442132	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/4639/	Trust: 0.1
url:	https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file]	Trust: 0.1
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: CERT/CC: VU#199348 // VULHUB: VHN-20189 // BID: 19276 // JVNDB: JVNDB-2006-001067 // PACKETSTORM: 48752 // CNNVD: CNNVD-200608-194 // NVD: CVE-2006-4081

CREDITS

Greg Sinclair gssincla@nnlsoftware.com

Trust: 0.6

sources: CNNVD: CNNVD-200608-194

SOURCES

db:	CERT/CC	id:	VU#199348
db:	VULHUB	id:	VHN-20189
db:	BID	id:	19276
db:	JVNDB	id:	JVNDB-2006-001067
db:	PACKETSTORM	id:	48752
db:	CNNVD	id:	CNNVD-200608-194
db:	NVD	id:	CVE-2006-4081

LAST UPDATE DATE

2024-08-14T13:50:43.501000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#199348	date:	2006-08-29T00:00:00
db:	VULHUB	id:	VHN-20189	date:	2018-10-17T00:00:00
db:	BID	id:	19276	date:	2016-07-06T12:19:00
db:	JVNDB	id:	JVNDB-2006-001067	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200608-194	date:	2006-08-14T00:00:00
db:	NVD	id:	CVE-2006-4081	date:	2018-10-17T21:33:17.177

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#199348	date:	2006-08-24T00:00:00
db:	VULHUB	id:	VHN-20189	date:	2006-08-11T00:00:00
db:	BID	id:	19276	date:	2006-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2006-001067	date:	2012-06-26T00:00:00
db:	PACKETSTORM	id:	48752	date:	2006-08-03T03:35:36
db:	CNNVD	id:	CNNVD-200608-194	date:	2006-08-11T00:00:00
db:	NVD	id:	CVE-2006-4081	date:	2006-08-11T10:04:00