Barracuda has released a critical security update to the Barracuda Web Filter with firmware version 8.1.0.005, for customers who are using or going to use SSL Inspection on the Barracuda Web Filter. This also applies if you have enabled SSL Inspection in the past, but have subsequently turned it off. We recommend installing version 8.1.0.005 on your Barracuda Web Filter as soon as it is available, and that you not use the SSL inspection capabilities without upgrading to this firmware version. You can see the full release notes here.
The new firmware version specifically addresses CVE-2015-0961 and CVE-2015-0962, which Barracuda requested in response to this blog post. The Barracuda team worked closely with CERT in responding to their call for research, requesting the CVEs, working within CERT timelines, and coordinating disclosure. We also proactively contacted Barracuda Web Filter customers to advise them of the vulnerabilities that we discovered.
If you are using the SSL Inspection features, you may need to deploy new certificates to clients. We have updated our Tech Library documentation to assist in this process, and we have created a certificate check site to help you determine if your web clients are affected.
In conjunction with CERT, we are also releasing a tech alert on this firmware release. The tech alert explains the recently discovered implementation weaknesses in features that use SSL Inspection.
- Barracuda Tech Alert
- Tech Library Documentation for Barracuda Web Filter firmware version 8.1.0.005
- Barracuda Web Filter Certificate Check Site
- CERT blog post on SSL Inspection
The entire tech alert is available on our Tech Alert page here and at the end of this post.
If you have any questions regarding the tech alert, please contact our support team at 888-268-4772.
This post will be updated if new information becomes available.
Barracuda Tech Alert:
Title: Barracuda Web Filter, SSL Inspection, CVE-2015-0961 and CVE-2015-0962
Affected Product(s): Barracuda Web Filter
Risk Rating: High
In conjunction with recent external research by CERT into SSL Inspection implementations in the market, Barracuda Network conducted an audit of the Barracuda Web Filter. On Thursday, April 16th, we released Barracuda Web Filter version 8.1.0.005 to address two issues identified in our audit.
CVE-2015-0961: prior to version 8.1.0.005, the Barracuda Web Firewall does not properly check the validity of upstream certificates when SSL inspection is enabled. Upgrading to version 8.1.0.005 resolves this issue and no other action is required.
CVE-2015-0962: versions 7.0 through 8.1.003 ship with a set of default root CA certificates that are common across appliances. Upgrading to version 8.1.0.005 ensures that each unit has a unique default root CA certificate. Customers who have configured SSL Inspection with the default certificate should deploy new certificates following the instructions at https://techlib.barracuda.com/BWF/UpdateSSLCerts.
For maximum protection, Barracuda Networks recommends that all customers ensure that their security definitions are set to On and to upgrade to the latest generally available release of the firmware and security definitions.