Barracuda WAF V360 Firmware Username / Session ID Leak

Type packetstorm
Reporter Matthew Bergin
Modified 2017-07-06T00:00:00


                                            `KL-001-2017-013 : Barracuda WAF Management Application Username and Session ID Leak  
Title: Barracuda WAF Management Application Username and Session ID Leak  
Advisory ID: KL-001-2017-013  
Publication Date: 2017.07.06  
Publication URL:  
1. Vulnerability Details  
Affected Vendor: Barracuda  
Affected Product: Web Application Firewall V360  
Affected Version: Firmware v8.0.1.014  
Platform: Embedded Linux  
CWE Classification: CWE-200: Information Exposure  
Impact: Privileged Access  
Attack vector: HTTP  
2. Vulnerability Description  
The Barracuda WAF management application transmits the current  
user and session identifier over HTTP GET.  
3. Technical Description  
The HTTP URL shown below contains both the username and a md5 hash.  
This information is transmitted over a plaintext network connection.  
The password parameter can be seen more like a session identifier  
whose values are valid for a maximum of five days.  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:50.0) Gecko/20100101 Firefox/50.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
HTTP/1.1 200 OK  
Server: BarracudaHTTP 4.0  
Content-Type: text/html; charset=utf-8  
Connection: close  
Expires: Fri, 27 Nov 2015 16:26:42 GMT  
Date: Sat, 26 Nov 2016 16:26:42 GMT  
Content-length: 100997  
X-Frame-Options: SAMEORIGIN  
4. Mitigation and Remediation Recommendation  
The vendor has patched this vulnerability in the lastest  
virtual appliance release.  
5. Credit  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc. and Joshua Hardin.  
6. Disclosure Timeline  
2016.12.20 - KoreLogic sends vulnerability report and PoC to  
2016.12.21 - Barracuda acknowledges receipt of the vulnerability  
2017.01.09 - Barracuda informs KoreLogic that they are working  
on remediation for this issue.  
2017.01.26 - Barracuda asks for additional time beyond the  
standard 45 business day embargo to address this  
and other issues reported by KoreLogic.  
2017.02.27 - 45 business days have elapsed since the issue was  
2017.04.10 - 75 business days have elapsed since the issue was  
2017.05.15 - 100 business days have elapsed since the issue was  
2017.05.24 - Barracuda updates KoreLogic on the status of the  
remediation efforts.  
2017.06.13 - 120 business days have elapsed since the issue was  
2017.06.27 - Barracuda informs KoreLogic that the issue has  
been fixed in the latest release of the WAF  
virtual appliance.  
2017.07.06 - KoreLogic public disclosure.  
7. Proof of Concept  
See 3. Technical Description  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
Our public vulnerability disclosure policy is available at: