Barracuda has released a critical security update to the Barracuda Web Filter with firmware version 8.1.0.005, for customers who are using or going to use SSL Inspection on the Barracuda Web Filter. This also applies if you have enabled SSL Inspection in the past, but have subsequently turned it off. We recommend installing version 8.1.0.005 on your Barracuda Web Filter as soon as it is available, and that you not use the SSL inspection capabilities without upgrading to this firmware version. You can see the full release notes here.
The new firmware version specifically addresses CVE-2015-0961 and CVE-2015-0962, which Barracuda requested in response to this blog post. The Barracuda team worked closely with CERT in responding to their call for research, requesting the CVEs, working within CERT timelines, and coordinating disclosure. We also proactively contacted Barracuda Web Filter customers to advise them of the vulnerabilities that we discovered.
If you are using the SSL Inspection features, you may need to deploy new certificates to clients. We have updated our Tech Library documentation to assist in this process, and we have created a certificate check site to help you determine if your web clients are affected.
In conjunction with CERT, we are also releasing a tech alert on this firmware release. The tech alert explains the recently discovered implementation weaknesses in features that use SSL Inspection.
- Barracuda Tech Alert
- Tech Library Documentation for Barracuda Web Filter firmware version 8.1.0.005
- Barracuda Web Filter Certificate Check Site
- CERT blog post on SSL Inspection
The entire tech alert is available on our Tech Alert page here and at the end of this post.
If you have any questions regarding the tech alert, please contact our support team at 888-268-4772.
This post will be updated if new information becomes available.
Barracuda Tech Alert:
Title: Barracuda Web Filter, SSL Inspection, CVE-2015-0961 and CVE-2015-0962
Affected Product(s): Barracuda Web Filter
Risk Rating: High
Parallèlement à des recherches externes récentes de l'équipe d'intervention en cas d'urgence informatique sur les implémentations d'inspection SSL sur le marché, Barracuda Network a effectué un audit de Barracuda Web Filter. Le jeudi 16 avril, nous avons publié la version 8.1.0.005 de Barracuda Web Filter pour résoudre deux problèmes détectés lors de notre audit.
CVE-2015-0961: prior to version 8.1.0.005, the Barracuda Web Firewall does not properly check the validity of upstream certificates when SSL inspection is enabled. Upgrading to version 8.1.0.005 resolves this issue and no other action is required.
CVE-2015-0962: versions 7.0 through 8.1.003 ship with a set of default root CA certificates that are common across appliances. Upgrading to version 8.1.0.005 ensures that each unit has a unique default root CA certificate. Customers who have configured SSL Inspection with the default certificate should deploy new certificates following the instructions at https://techlib.barracuda.com/BWF/UpdateSSLCerts.
Pour une protection maximale, Barracuda Networks recommande à tous ses clients de s'assurer que les définitions de sécurité sont activées et de mettre à jour les firmwares et les définitions de sécurité vers la version à la disposition générale la plus récente.