Sign-up

ID

VAR-201708-0293


CVE

CVE-2014-8428


TITLE

Barracuda Load Balancer Vulnerabilities related to authorization, permissions, and access control

Trust: 0.8

sources: JVNDB: JVNDB-2014-008349

DESCRIPTION

Privilege escalation vulnerability in Barracuda Load Balancer 5.0.0.015 via the use of an improperly protected SSH key. Barracuda Load Balancer Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The controller provides protection against intrusion and attack events, while optimizing application load and providing strong performance support. =============================================================================== title: Virtual Appliance Security Review case id: CM-2013-01 product: Barracuda Load Balancer ADC vulnerability type: Multiple severity: Medium to High found: 2013-12-13 by: Cristiano Maruti (@cmaruti) =============================================================================== [EXECUTIVE SUMMARY] While reviewing the virtual appliance, five major security issues were identified: 1) Ability to recover the file system encryption keys via simil cold-boot attack; 2) Off-line super user password reset via physical attack; 3) Hard-coded credential for an interactive unprivileged user; 4) Hard-coded SSH key file that could permit local privilege escalation; 5) Various credentials and private IP address of Barracuda’s internal server. [VULNERABLE VERSIONS] Barracuda Load Balancer - firmware version 5.0.0.015. Probably there are other appliances from the vendor affected by the same problems. [TECHNICAL DETAILS] The full report with technical details about the vulnerabilities I have identified is available at: https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf [VULNERABILITY REFERENCE] The following ID were associated by Barracuda (BNSECID) to handle the vulnerabilities: - BNSEC-0004000355: VM filesystem encryption keys can be leaked through memory dump. - BNSEC-0006000122: VM appliance susceptible to off-line user password reset. - BNSEC-0006000124: VM filesystem encryption keys can be leaked through memory dump. - BNSEC-0006000123: Hard coded weak credentials for product user. - BNSEC-0006000126: Internal system information leakage through VM virtual drive. The following CVE IDs were pre-allocated to track the vulnerabilities: - CVE-2014-8426: Hard coded weak credentials for product user. [DISCLOSURE TIMELINE] 2014-01-03 Report submitted to vendor via its bug bounty program. 2014-01-03 Vendor confirmed receiving the report (automatic reply). 2014-01-09 Vendor gave follow-up. 2014-01-13 Vendor provided BNSEC IDs. 2014-01-22 Researcher requested further update about the status of the submission. 2014-01-22 Vendor gave follow-up and updates the list of BNSEC IDs. 2014-02-06 Researcher requested for the second time an update about the status of his submission. 2014-02-06 Vendor acknowledged the delay in processing the submission because of internal reorganization of the bounty program. 2014-03-18 Vendor sent update. Confirming the severity of the vulnerabilities, still processing the submission and developing appropriate fixes. 2014-03-20 Vendor approved bounty. Four of five vulnerabilities are eligible for the bounty program. 2014-04-20 Barracuda created fixes for the issues reported but postponed the test due to addressing the Heartbleed vulnerability. 2014-04-23 Researcher received the bounty prize. 2014-05-06 Vendor gave follow-up but no further details about the status of the patching process were disclosed. 2014-06-04 Researcher requested further update about the status of the submission. 2014-10-01 Vendor postponed the fix due to Shellshock vulnerability. 2014-12-05 Vendor escalated the issues due to cleanup delayed too many times; coordinated disclosure date will be on January 20th, 2015. 2015-01-20 Public disclosure. [SOLUTION] Vendor addressed the vulnerabilities identified by CVE-2014-8426 and CVE-2014-8428. The Vendor is currently evaluating ways to mitigate the remaining ones. [REPORT URL] https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf

Trust: 1.8

sources: NVD: CVE-2014-8428 // JVNDB: JVNDB-2014-008349 // VULHUB: VHN-76373 // PACKETSTORM: 130027

AFFECTED PRODUCTS

vendor:barracudamodel:load balancerscope:eqversion:5.0.0.015

Trust: 1.6

vendor:barracudamodel:load balancer adcscope:eqversion:5.0.0.015

Trust: 0.8

sources: JVNDB: JVNDB-2014-008349 // CNNVD: CNNVD-201708-1191 // NVD: CVE-2014-8428

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-8428
value: CRITICAL

Trust: 1.0

NVD: CVE-2014-8428
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201708-1191
value: HIGH

Trust: 0.6

VULHUB: VHN-76373
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2014-8428
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-76373
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2014-8428
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-76373 // JVNDB: JVNDB-2014-008349 // CNNVD: CNNVD-201708-1191 // NVD: CVE-2014-8428

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-76373 // JVNDB: JVNDB-2014-008349 // NVD: CVE-2014-8428

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201708-1191

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201708-1191

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-008349

PATCH
title:Barracuda Load Balancer ADCurl:https://www.barracuda.com/products/loadbalancer?L=jp
Trust: 0.8
title:Barracuda Load Balancer Fixes for permission permissions and access control vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74319
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-008349 // 
            
            
            
            CNNVD: CNNVD-201708-1191

EXTERNAL IDS
db:NVDid:CVE-2014-8428
Trust: 2.6
db:PACKETSTORMid:130027
Trust: 2.6
db:JVNDBid:JVNDB-2014-008349
Trust: 0.8
db:CNNVDid:CNNVD-201708-1191
Trust: 0.7
db:VULHUBid:VHN-76373
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76373 // 
            
            
            
            JVNDB: JVNDB-2014-008349 // 
            
            
            
            PACKETSTORM: 130027 // 
            
            
            
            CNNVD: CNNVD-201708-1191 // 
            
            
            
            NVD: CVE-2014-8428

REFERENCES
url:http://packetstormsecurity.com/files/130027/barracuda-load-balancer-adc-key-recovery-password-reset.html
Trust: 2.5
url:http://seclists.org/fulldisclosure/2015/jan/76
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2014-8428
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-8428
Trust: 0.8
url:https://github.com/cmaruti/reports/raw/master/barracuda_load_balancer_vm.pdf
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-8426
Trust: 0.1
sources:
            
            
            VULHUB: VHN-76373 // 
            
            
            
            JVNDB: JVNDB-2014-008349 // 
            
            
            
            PACKETSTORM: 130027 // 
            
            
            
            CNNVD: CNNVD-201708-1191 // 
            
            
            
            NVD: CVE-2014-8428

CREDITS
Cristiano Maruti
Trust: 0.1
sources:
            
            
            PACKETSTORM: 130027

SOURCES
db:VULHUBid:VHN-76373
db:JVNDBid:JVNDB-2014-008349
db:PACKETSTORMid:130027
db:CNNVDid:CNNVD-201708-1191
db:NVDid:CVE-2014-8428

LAST UPDATE DATE
2024-11-23T22:34:34.793000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-76373date:2017-09-01T00:00:00
db:JVNDBid:JVNDB-2014-008349date:2017-09-25T00:00:00
db:CNNVDid:CNNVD-201708-1191date:2017-08-30T00:00:00
db:NVDid:CVE-2014-8428date:2024-11-21T02:19:04.187

SOURCES RELEASE DATE
db:VULHUBid:VHN-76373date:2017-08-28T00:00:00
db:JVNDBid:JVNDB-2014-008349date:2017-09-25T00:00:00
db:PACKETSTORMid:130027date:2015-01-20T23:24:28
db:CNNVDid:CNNVD-201708-1191date:2017-08-30T00:00:00
db:NVDid:CVE-2014-8428date:2017-08-28T15:29:00.500