Barracuda WAF Internal Development Credential Disclosure

Vulnerability Description

Firmware reversing of the Barracuda Web Application Firewall uncovered development artifacts that should have been removed on the production images. Once the encryption scheme was broken, many QA and development tools were discovered on the affected partitions. Some of these contained sensitive information such as authentication credentials used by internal developers.

Technical Description

root@(none):/realroot/root# grep -ri "bospw" *|more
newfile/lib/Stub.pm:        'BOSPW'                      => undef,
newfile/lib/Stub.pm:    my $bospw = $self->_retrieve_bos_pw();
newfile/lib/Stub.pm:    $self->_set_BOSPW($bospw);
newfile/lib/Stub.pm:      my $bospw = Postbuild::get_bos_pw();
newfile/lib/Stub.pm:      my $url = "https://$bospw\@ops.barracudanetworks.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel&date=$date&mac=$tmpMAC&revision=$tmprevision&hw=$tmphw&devel=$devel&vm=$vm&
platform=$platform&buildkey=$bdvers";
newfile/lib/Stub.pm:          $bospw = Postbuild::get_bos_pw();
newfile/lib/Stub.pm:          $url = "https://$bospw\@ops.barracudanetworks.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel&date=$date&mac=$tmpMAC&revision=$tmprevision&hw=$tmphw&devel=$devel&vm=$vm
&platform=$platform&dest_country=$ship_code&buildkey=$bdvers";
newfile/lib/Stub.pm:    my $bospw;
newfile/lib/Stub.pm:    if ( -f "/root/bospw" ) {
newfile/lib/Stub.pm:        open IN, "/root/bospw";
newfile/lib/Stub.pm:        $bospw = <IN>;
newfile/lib/Stub.pm:        chomp($bospw);
newfile/lib/Stub.pm:        $bospw = "manufacturing:N3rfH3rders";
newfile/lib/Stub.pm:    return $bospw;
newfile/lib/Stub.pm:sub _get_BOSPW() {
newfile/lib/Stub.pm:   return $self->{'BOSPW'};
newfile/lib/Stub.pm:sub _set_BOSPW() {
newfile/lib/Stub.pm:    my ($self, $BOSPW) = @_;
newfile/lib/Stub.pm:    $self->{'BOSPW'} = $BOSPW;
newfile/lib/Postbuild.pm:    my $bospw = "manufacturing:N3rfH3rders";
newfile/lib/Postbuild.pm:    if( -f "/root/bospw" ) {
newfile/lib/Postbuild.pm:        open IN, "/root/bospw";
newfile/lib/Postbuild.pm:        $bospw = <IN>;
newfile/lib/Postbuild.pm:        chomp($bospw);
newfile/lib/Postbuild.pm:    return $bospw;
newfile/lib/Postbuild.pm:        my $bospw = get_bos_pw();
newfile/lib/Postbuild.pm:	my $url = "https://$bospw\@ops.barracuda.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel&date=$date&mac=$tmpMAC&revision=$tmprevision&hw=$tmphw&devel=$devel&vm=$vm&pl
atform=$platform&bdvers=$bdvers";
newfile/lib/Postbuild.pm:		$url = "https://$bospw\@ops.barracuda.com:443/cgi-old/createserialkey.cgi?model=$tmpmodel&date=$date&mac=$tmpMAC&revision=$tmprevision&hw=$tmphw&devel=$devel&vm=$
vm&platform=$platform&dest_country=$ship_code&bdvers=$bdvers";
newfile/lib/Postbuild.pm:    my $bospw = get_bos_pw();
newfile/lib/Postbuild.pm:    my $url = "https://$bospw\@ops.barracudanetworks.com:443/~order/prod_void.cgi?void_serial=$serial";
postbuild-code-platform-2.tar.gz.integrit:!/root/bospw
qaclear:    unlink("/root/bospw");
qaclear.2:unlink("/root/bospw");
qapass:my @bospw = ("manufacturing:N3rfH3rders");
qapass:my $extrabospw = injectAndGet("__METHOD__://__POSTBUILDIP__/postbuild/files/os_updates2/root/bospw", { METHOD => [ "http", "https" ], POSTBUILDIP => [ "mfg-postbuild.englab.cudanet.local" ] }, 10
 );
qapass:if( defined($extrabospw) ) {
qapass:	unshift @bospw, split(/\n/, $extrabospw);
qapass:	$url = "https://__BOSPW__\@__BOSIP__/~order/prod_accept.cgi?serial=$serial&wh=$warehouse&firmware=$firmware"
qapass:	$url =  "https://__BOSPW__\@__BOSIP__/~order/prod_accept.cgi?serial=$serial&firmware=$firmware";
qapass:if (!defined(injectAndGet($url, { BOSPW => \@bospw, BOSIP => \@bosip } ))) {
qapass:$url = "https://__BOSPW__\@__BOSIP__/cgi-bin/get_serial_status.cgi?serial=$serial";
qapass:my $content = injectAndGet($url, { BOSPW => \@bospw, BOSIP => \@bosip } );
qapass:$url = "https://__BOSPW__\@__BOSIP__/cgi-bin/shipping.cgi?option=qadocs&xlist=1&box_label=1&printer_loc=manufacturing&submit=Print&serial_id=$serial&override=$serial$loc_string";
qapass:	$url = "https://__BOSPW__\@__BOSIP__/cgi-bin/shipping.cgi?option=qadocs&xlist=1&box_label=1&link_code=1&printer_loc=manufacturing&submit=Print&serial_id=$serial&override=$serial$loc_string";
qapass:if( !defined(injectAndGet($url, { BOSPW => \@bospw, BOSIP => \@bosip })) ) {
qapass:$url = "https://__BOSPW__\@__BOSIP__/cgi-bin/shipping.cgi?option=qadocs&serial_label=1&printer_loc=manufacturing&submit=Print&serial_id=$serial&override=$serial$loc_string";
qapass:if( !defined(injectAndGet($url, { BOSPW => \@bospw, BOSIP => \@bosip })) ) {

Mitigation and Remediation Recommendation

The vendor has patched this vulnerability in the latest virtual appliance release.

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. and Joshua Hardin.

Proof of Concept

See 3. Technical Description

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt