4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
65.7%
Barracuda Web Filter prior to version 8.1.0.005 does not properly check upstream certificate validity when performing SSL inspection, and delivers one of three default root CA certificates across multiple machines for SSL inspection.
According to Barracuda Networks, the Barracuda Web Filter is a “comprehensive solution for web security and management” with many features, including the ability to provide “visibility into SSL-encrypted traffic”. This SSL inspection feature of the Barracuda Web Filter is vulnerable to multiple issues.
Incomplete validation of upstream certificate validity - CVE-2015-0961
Barracuda Web Filter versions between 7.0 and 8.1.0.005 do not check upstream certificate validity when performing SSL inspection.
Shared root CA certificate - CVE-2015-0962
Barracuda Web Filter versions between 7.0 and 8.1.0.005 ship one of three different default certificates that are shared across multiple machine for use in the SSL Inspection feature.
* Users who have configured SSL Inspection on a Barracuda Web Filter may be affected. Beginning in version 8.1.0.005, Barracuda Web Filter verifies certificate validity and generates a unique default certificate for each appliance.
Barracuda Networks has released a security advisory with more details. For more information on the impact of these issues on SSL inspection, please see Will Dormann’s CERT/CC blog post on SSL Inspection.
The impact of either CVE-2015-0961 or CVE-2015-0962 may allow an attacker to successfully achieve a man-in-the-middle (MITM) attack without the client knowing it.
Update the firmware
Barracuda Networks has released firmware version 8.1.0.005 on April 16th, 2015 to address these issues. Affected users should upgrade to firmware 8.1.0.005 or later as soon as possible.
Users who have deployed an affected service using the default certificate supplied with the appliance will need to deploy a new client certificate to their clients and remove the previously deployed certificate. Instructions for deploying and removing client certificates are available at <http://techlib.barracuda.com/BWF/UpdateSSLCerts>.
Check that old shared certificates are removed
Barracuda has also provided https://certcheck.barracudalabs.com, a site that will show users if their browser trusts any of the shared default certificates and includes instructions for removing the certificates from the browser trust store if necessary.
534407
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: April 21, 2015
Statement Date: April 16, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 8.8 | AV:N/AC:M/Au:N/C:C/I:C/A:N |
Temporal | 6.9 | E:POC/RL:OF/RC:C |
Environmental | 5.2 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Barracuda Networks for promptly addressing these issues and contacting the CERT/CC to coordinate disclosure.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-0961, CVE-2015-0962 |
---|---|
Date Public: | 2015-04-28 Date First Published: |