Barracuda Networks

On March 11, 2008 at 4:45 PM PDT, virus definition 2.2.18205 contained an incompatibility with Barracuda Spam Firewalls running legacy firmware release 3.4.10.087 and earlier, using current virus definitions.  This incompatibility was the result of an invalid reference in the virus system maintenance routines and triggered the “hold down” protections in the Barracuda Spam Firewall.  To protect our customers against potential errors in the virus system maintenance, the Barracuda Spam Firewall has a built-in precautionary “hold down” feature that automatically prevents email from being sent and keeps potentially infected emails from being delivered.

Any Barracuda Spam Firewall in the field running legacy firmware that received virus definition 2.2.18205 immediately began to queue all incoming messages.  Because the change affected the virus system maintenance routines, reverting and updating virus definitions did not resolve the issue.  At 9:00 PM PDT, spam definitions 3.0.69866 and 3.1.44577 were released that contained configuration settings and a forced restart of the email scanning engine to mitigate the issue.

For all affected customers, Barracuda Spam Firewalls resumed normal processing of email once they downloaded the new spam definition. No email should have been lost as the result of this delay.

Recently, security researcher Federico Kirschbaum reported an issue in the Barracuda Spam Firewall Web administration interface to Barracuda Networks. A cross-site scripting vulnerability existed when logging in with a username containing JavaScript injections only while the “Monitor Web Syslog” screen was already opened by an authenticated user.

The risk rating of this issue is low, because the usage of the “Monitor Web Syslog” screen is largely a diagnostic utility and not typically used once syslog outputs are set up in production environments.

Barracuda Networks resolved this issue identified by Mr. Kirschbaum with generally available firmware release 3.5.10.016 (2007-09-06).

For maximum protection, Barracuda Networks recommends that all customers upgrade to the latest generally available release of the firmware.

Zoo is an archive file format and legacy compression program that was popular in the mid-1980s. To support decompression of legacy zoo file archives used in virus checking and enforcing file attachment policy, the Barracuda Spam Firewall includes the zoo program. Recently, security researcher Jean-Sébastien Guay-Leroux discovered an implementation error in the zoo program which could result in an infinite loop and high utilization of system resources in certain solutions.

On Monday, March 19, 2007, Barracuda Networks delivered system settings to all Barracuda Spam Firewalls in the field to disarm the potential zoo program vulnerability through Energize Updates. Barracuda Networks credits Mr. Guay-Leroux on his research of this vulnerability and his proposals for a mitigation strategy. Moreover, Barracuda Networks has changed new systems shipping out of the factory to mitigate this zoo program vulnerability.

All Barracuda Spam Firewalls running firmware release 3.4 or higher and virus definition 2.0.6399 or higher, should be free from the vulnerability identified by Mr. Guay-Leroux. In addition, Barracuda Spam Firewalls running firmware releases earlier than release 3.4 and virus definition versions at 2.06399o or later should also be free from this vulnerability.

For maximum protection, Barracuda Networks recommends that all customers upgrade to the latest generally available release of the firmware.

On March 29, 2007 at 5:00 PM PDT, virus definition 2.1.6 targeted at recent Internet threat activity contained an incompatibility with legacy Barracuda Spam Firewall firmware releases 3.3 and earlier. To protect our customers against potential errors with incompatible versions, the Barracuda Spam Firewall has a built-in precautionary feature which automatically prevents email from being sent and keeps potentially infected emails from being delivered. Any Barracuda Spam Firewall in the field running legacy firmware that had received virus definition 2.1.6 immediately began to queue all incoming messages until a backward compatible virus definition became available. At 9:16 PM PDT, a backward compatible virus definition 2.1.18o was released. For all affected customers, Barracuda Spam Firewalls resumed normal processing of email once they downloaded the new definition, and no email should have been lost as the result of this delay. Barracuda Networks customers are strongly advised to update to the latest generally available firmware release for the most up-to-date protection against Internet threats.

The annual start and end dates for Daylight Savings Time (DST) in the United States will be changing on March 11, 2007, due to the Energy Policy Act of 2005 (USA: Public Law 109-58 / 109th Congress / Section 110). Clocks in the United States will need to "Spring Forward" one hour on the second Sunday in March (three weeks earlier than the previous first Sunday in April), and will "Fall Back" one hour on the first Sunday in November (one week later than the previous last Sunday in October).

Support for this change to DST is currently available in all Barracuda Networks products running the following firmware versions:

• Barracuda Spam Firewall, version 3.4.08.038 and higher
• Barracuda Web Filter, version 3.1.0.30 and higher
• Barracuda IM Firewall, version 2.1.03 and higher
• Barracuda Load Balancer, version 1.4.031 and higher

Any systems that are not already on at least the firmware versions named above should be upgraded as soon as possible to the latest available version.

On February 6, 2007 at 8:35 am PST, a virus definition was released that contained an incorrect spam fingerprint definition (virus definition 2.0.3936) to Barracuda Spam Firewalls running firmware release 3.4 and higher. This incorrect definition was removed by 9:15 am PST on the same day with virus definition 2.0.3939. Affected messages were blocked with a reason code of Fingerprint (TXT1). Please note that customers running firmware release 3.4 may see messages initially logged in the user interface with a delivery status of "blocked" that may have been ultimately delivered to end users through a subsequent update. Customers are advised to check for any potential false positives blocked for fingerprint definition TXT1 that were not subsequently delivered to end users. The root cause of this issue was operational in nature. Preventative measures have been implemented into Barracuda Central operations.

Barracuda Central maintains two different forms of virus definition files. One form is used specifically for Barracuda Spam Firewalls running firmware release 3.4 and higher. The other form is denoted with a suffix of "o" in the version number and is used for the Barracuda Web Filter, Barracuda IM Firewall, and any Barracuda Spam Firewalls running versions earlier than release 3.4. On February 1, 2007 at 2:07am PST, Barracuda Central published virus definition 2.0.3606o to all Barracuda Spam Firewalls, creating a mismatch for those releases running firmware release 3.4 and higher. Upon detecting an incorrect virus definition file, Barracuda Spam Firewalls in the field immediately invoked a built-in precautionary mechanism to prevent potentially harmful emails from being sent. By 2:38am PST, a new virus definition file 2.0.3607 was issued to remedy this situation. During this period, the Barracuda Spam Firewalls accepted all messages and simply deferred them in a queue until they downloaded a new virus definition automatically. No email was lost as the result of this issue. This event was unrelated to the operational issue described in Technical Alert No. 20070131.

On January 31, 2007 at 2:20 pm PST, a virus definition was released that contained an incorrect spam fingerprint definition (virus definition 2.0.3568) to Barracuda Spam Firewalls running firmware release 3.4 and higher. This incorrect definition was removed by 3:15pm PST on the same day with virus definition 2.0.3572. Affected messages were blocked with a reason code of Fingerprint (IMG6370628). Please note that customers running firmware release 3.4 may see messages initially logged in the user interface with a delivery status of "blocked" that may have been ultimately delivered to end users through a subsequent update. Customers are advised to check for any potential false positives blocked for fingerprint definition IMG6370628 that were not subsequently delivered to end users. The root cause of this issue was operational in nature. Preventative measures for this particular issue have already been implemented into Barracuda Central operations.

On January 23, 2007 at 8:57pm PST, a content filter definition was released that had errors in the “Proxies” category (content filter definition 1.0.387). With this definition, Barracuda Web Filter policies blocking the “Proxies” content category also blocked certain sites normally categorized under the “Search Engine & Portals” category. By January 24, 2007 at 7:23am PST, a new content filter definition (1.0.389) was published. All Barracuda Web Filter systems in the field with active Energize Updates subscriptions should have been automatically updated with the corrected content filter definition by 10:38am PST the same day. The cause of these errors was an operational error at Barracuda Central, and it has been resolved. Additional quality assurance processes including both human and software checks have been implemented to avoid this problem in the future.

The Barracuda Spam Firewall incorporates rules that protect users from a potentially harmful vulnerability in Adobe Reader.

The Adobe Reader vulnerability affects those users who utilize the Adobe Reader plug-in that enables Adobe Acrobat Portable Document Format (PDF) files to be opened from within their Web browsers. To facilitate features such as populating fields in Acrobat forms, the Adobe Reader contains the ability to pass URL parameters in Web links to the Adobe Reader plug-in. However, if scripts are embedded within the URL parameters, an attacker can run code in the user’s Web browser. The exploit can be run against PDF documents posted on reputable Web sites without requiring an attacker to compromise that site in any way.

To prevent the proliferation of emails that could exploit this vulnerability, the Barracuda Spam Firewall now incorporates rules that look for URLs referencing PDF files that contain URL parameters. When scored with indicators of scripting, the Barracuda Spam Firewall will automatically block these messages, protecting users from potentially dangerous attacks.

All existing Barracuda Spam Firewall customers with active Energize Updates subscriptions are currently protected against this vulnerability. Existing customers running the version 3.0 spam rule definitions should ensure that their version number is at 3.0.30651 or higher. Existing customers running the version 3.1 spam rule definitions should ensure that their version number is 3.1.5316 or higher. Messages blocked by these rules can be identified with the rule name PDF_EXPLOIT in the Barracuda Spam Report Rule Breakdown in the blocked message headers.

To support multiple types of message encoding, the Barracuda Spam Firewall utilizes an underlying encoder/decoder library known commonly as Convert-Uulib. Older versions of this underlying library contained a security vulnerability if called with invalid values. Barracuda Networks credits security researcher Jean-Sébastien Guay-Leroux on his research of this vulnerability and its impact on the Barracuda Spam Firewall running versions earlier than 3.4.09.

As part of normal ongoing feature development, Barracuda Networks updated the underlying encoder/decoder library with firmware release 3.4.09 and later. The most current generally available releases of firmware are not subject to this known vulnerability.

Moreover, on November 29, 2006, system settings were delivered to all Barracuda Spam Firewalls in the field via Energize Updates to disable the underlying mechanisms behind this known vulnerability.

No Barracuda Spam Firewalls with current Energize Updates subscriptions should be subject to the vulnerability identified by Mr. Guay-Leroux. Barracuda Networks recommends that all customers upgrade to the latest generally available release of the firmware.

Barracuda Networks had been working with a security researcher, Greg Sinclair - security (at) nnlsoftware (dot) com - on two past vulnerabilities related to both file disclosure and guest access. On August 3, 2006, system settings were delivered to all Barracuda Spam Firewalls in the field via Energize Updates to disable the underlying mechanisms behind these vulnerabilities. As such, no Barracuda Spam Firewalls with current Energize Updates subscriptions should be affected by these vulnerabilities.

As part of the test rollout, these settings were initially delivered with the upgrade to early release firmware 3.4.05.017 on July 14, 2006. These settings were later successfully delivered with the upgrade to generally available firmware 3.3.03.055 on July 18, 2006. While it is generally recommended that customers upgrade to the latest release, these upgrades are no longer necessary for protection against these specific vulnerabilities identified by Mr. Sinclair.

To avoid future vulnerabilities, Barracuda Networks recommends that customers restrict unnecessary external Web access to their Barracuda Spam Firewalls.

Barracuda Networks credited Mr. Sinclair with his discovery in the release notes for firmware release 3.4.05.017.

On June 13, 2006 at 4:53 AM PDT today, a faulty virus definition was released that had an incomplete virus database (virus definition 1.5.144). To protect our customers in the event such a circumstance occurred, the Barracuda Spam Firewall has a built in precautionary feature which automatically prevents email from being sent through in order to keep potentially infected emails from being delivered. Any Barracuda Spam Firewall in the field that had received virus definition 1.5.144 immediately began to queue all incoming messages until the complete virus database became available. At 7:02 AM PDT, the majority of Barracuda Spam Firewalls automatically received virus definition 1.5.145 containing the complete virus database, and email began to process normally for those customers previously affected. The cause of the incomplete virus definition has been identified and resolved, and additional measures have been put in place to prevent this issue from occuring in the future.