Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0045
Two vulnerabilities in Barracuda Web Filter addressed by firmware update
5 May 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Barracuda Web Filter
Operating System: Network Appliance
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-0962 CVE-2015-0961
Member content until: Thursday, June 4 2015
OVERVIEW
Two vulnerabilities have been reported in Barracuda Web Filter prior
to version 8.1.0.005. [1]
IMPACT
Barracuda has provided the following details regarding the
vulnerabilities:
"CVE-2015-0961: prior to version 8.1.0.005, the Barracuda Web
Firewall fails to check the validity of upstream certificates when
SSL inspection is enabled. Upgrading to version 8.1.0.005 resolves
this issue and no other action is required.
CVE-2015-0962: versions 7.0 through 8.1.003 ship with a set of
default root CA certificates that are common across appliances." [1]
MITIGATION
Barracuda recommends that users upgrade to the latest generally
available firmware release to correct these issues.
Barracuda also advises users to turn on and update security
definitions. [1]
REFERENCES
[1] Barracuda Web Filter, SSL Inspection, CVE-2015-0961 and
CVE-2015-0962
https://www.barracuda.com/support/techalerts
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVUhXsBLndAQH1ShLAQLurA//Z/Rn1axoq2Fvd4arxyk63CzTUKR5xpl4
Yx/FaHKBB584xk3c79CkIO0jcB0aODzMW498kx9u30HibwWZkOjnBeP5Jzp4z7Yv
1uwWaJcCgpAwYBmfvSl7n7Bo7+FByu6LmLyxJ2S6NeyByDMVCZUYl48XtWBEVXlb
3FyNDFlToCEIH/E7u0OK5H4Pve50prdsmnU4JtKzahUu9K+0n9hMWG4+/tOeMz7c
wArfsnVKuvPjpkFj8lhsT3lFy8eUNQ4YVJ6e0jUHYwVFBiLqcq54Z1eBghOFLE9A
6V+csrJax5GWOdjjUWh7/0B5IqlfoeNL26TweqM6/EO8e0NCHF+dRmY0o8ymY6IT
zrGtGP4bEmTYJHsKFEdLfVjIYGChHAZuzxMaJL2Vr+itAfXxuh0jqlXIDir01VHl
VfXsbSLvywdLRDJo7PdABGDz6zB5VF8axy/5YP7qUIM0PV0GNcdJOb7BU3Wxba2e
6ML1VqTaTTPby3wkicreBTgwsZ6SqXh6Wpw7LYSDcTnd02pYPVoqy+Yh67Gg+H00
9wf/iOV38z6DJj/u4KGQ7e231rHuMU3Vk7wzx38SYBnZulSUHBRrM1uQc3c7NeWr
ORKk/nRRHfv3WbLM4Vzqj/pdgL444kEhDE/YzPV8CtgWfMqBj/QYFyWCFkemdLy/
OSZ2YG8CK4Q=
=wd5U
-----END PGP SIGNATURE-----