Operating System:

[Appliance]

Published:

14 April 2014

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2014.0051 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0051
          Barracuda Networks products and CVE-2014-0160: OpenSSL
                         Heartbleed vulnerability
                               14 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Barracuda Web Application Firewall
                      Barracuda Web Filter
                      Barracuda Message Archiver
                      Barracuda Firewall
                      Barracuda Load Balancer ADC
                      Barracuda Load Balancer
                      Barracuda Link Balancer
                      Cudatel
                      Barracuda Email Security Service
                      Barracuda Backup Service
                      Barracuda Cloud Control
                      Copy
                      SignNow
Operating System:     Network Appliance
Impact/Access:        Access Privileged Data -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-0160  
Member content until: Wednesday, May 14 2014
Reference:            ASB-2014.0042
                      ESB-2014.0457

OVERVIEW

        A vulnerability has been reported in multiple Barracuda products.


IMPACT

        Barracuda has provided the following details regarding these issues:
        
        "On April 7, 2014 an exploitable vulnerability in OpenSSL was reported 
        by US-CERT/NIST.  OpenSSL is widely used in internet infrastructures, 
        and this vulnerability was introduced into OpenSSL in December 2011.  
        The vulnerability is the result of a missing bounds check in the 
        OpenSSL code that handles the TLS 'heartbeat' messages.  Someone with 
        malicious intent can exploit this vulnerability by requesting that a 
        running TLS server return up to 64KB of its private memory space.  
        Since this is the same memory space where OpenSSL stores the server's 
        private key material, an attacker can potentially obtain long-term 
        server private keys, TLS session keys, or usernames / passwords.   
        The vulnerability was first introduced in OpenSSL release version 
        1.0.1 on March 14, 2012. OpenSSL 1.0.1g, released on April 7, 2014, 
        fixes the vulnerability.  See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 
        for additional details." [1]


MITIGATION

        The vendor recommends upgrading to the latest version of the affected
        product. Information on updates is available on Barracuda's product
        management blog: http://cuda.co/heartbleed


REFERENCES

        [1] Tech Alerts
            https://www.barracuda.com/support/techalerts

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0tWERLndAQH1ShLAQI9YxAAjtfIbDm9Q306mjYXoou9G/Y4GHksulZ9
w5jxSRMtjrDxlXtn301voPx7mst/Mq/wIMKnIi5cd7aq5xir6EySFCu6GOXOpyEF
X8sk/GIfKF702z3d9ZVSyMhYeDiB6eXXCTyXMsPVUpqk3zy2xb8EDK6xI3rEoi0e
rNNoa5IAzv1O1oQNQ/qNTiYWWEcg6QrLwah+6Lv6+FtJQa7VN+cuzsBM2nvKjqY3
w2bIipMDWeTImmvNjDcPMEDLQi3Hqtrb21REoyD3roexYYo8nLxFAzp/6uiYAWi7
Enq6EgSprY9RHbV74uTICLh+Pa5D+djwMEq8vWzs1qNvkFs6p3ajWQBol2EHlMJb
ZKgG+MqtFzrVShu/ppXKzgZcP/6qC/RRYdtVwce8Zv9ALJCPVe4FAz8zUWTNrOi+
Dj4G9LkoHWujfd55eOX8LpWQ0TbiWKjfUBz6qcS+1JnLreFBRaQvBqkioU46BW+E
vGBUys0CJJHgg2CXPeUVbN8+kQ2+qXeRS3GWbEqFtzk/hJs4QlviJFkEpxm+JZWv
pzTBZ0a5NEqxJ/L6pK+vavSOCOYA5APl0zBmQIjpasogJeT3iE5W4mjd7EY/qPAY
3EG1ysOen09PdXQvLlU0bgm6wI8d5Ucw3SBuycqlP/5WzNAyHyMHJgrcJ9+QPY4A
E1va/sICN+Q=
=m0QQ
-----END PGP SIGNATURE-----