SEC Consult researchers recently uncovered a major vulnerability in several products from Barracuda Networks. "Several undocumented operating system user accounts exist on the appliance," the researchers wrote. "They can be used to gain access to the appliance via the terminal but also via SSH."
"The boxes are configured to listen for SSH connections to the backdoor accounts and will accept the username 'product' with no password to log in and gain access to the device's MySQL database," writes Ars Technica's Dan Goodin. "While the backdoors can be accessed by only a small range of IP addresses, many of them belong to entities other than Barracuda. 'The public ranges include servers run by Barracuda Networks Inc. but also servers from other, unaffiliated entities -- all of whom can access SSH on all affected Barracuda Networks appliances exposed to the Internet,' the advisory explained."
"According to Barracuda, these accounts are intended for use by remote technical support," writes Intego's Lysa Myers. "They have released an update for the affected appliances that tightens the security of most of these support accounts, but it does not remove or secure them entirely."
"It’s not clear for how long the backdoor accounts have existed in Barracuda’s products, but the researchers found evidence that they have been in place since at least 2003," writes Krebs on Security's Brian Krebs. "Also, this thread on the security mailing list Full Disclosure includes some interesting discussion about how these backdoor accounts may have been used."