Barracuda Networks security advisory

Print Friendly, PDF & Email

Barracuda Networks has been actively investigating the potential impact of CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown) on our products and services.

In the wake of the release of Meltdown and
Spectre, we expect increased research interest in
speculative execution attacks. In March, 2018,
researchers published another attack,
CVE-2018-9056 (BranchScope),
which is a side-channel attack requiring
local code execution to exploit. The same
mitigating controls and considerations that
protect Barracuda customers from Meltdown
and Spectre apply to other processor
attacks requiring local code execution to exploit.

Barracuda Appliances: our appliance products do contain hardware affected by the Meltdown and Spectre vulnerabilities. However, Barracuda physical and virtual appliances do not allow execution of untrusted code. This prohibition creates a compensating control that protects our customers from these three vulnerabilities. We are keeping a close eye on the remediation solutions evolving in the community and will phase in additional solutions through software updates when appropriate.

Virtual appliances running on a vulnerable host system are vulnerable to CVE-2017-5715 (Variant 2) from malicious guests on the same host. Customers hosting their own virtual environments should follow the recommendations of their hypervisor manufacturer to update their host systems. The prohibition against execution of untrusted code, in combination with mitigations on the host system, protect our customers from all three vulnerabilities.

Barracuda Appliances deployed in Public Cloud Environments: public cloud vendors have been quick to deploy remediations to their hosting infrastructure to address these issues. The combination of host system mitigations and the compensating controls built into Barracuda virtual appliances protect our customers from all three vulnerabilities.

Advisories from our public cloud partners assuring remediation are included as follows:

Barracuda Cloud Services: similar to our appliance products, our services prohibit execution of untrusted code in the context of our services. Where untrusted content can execute on hardware in our cloud dedicated to that purpose (e.g. Cloud LiveBoot for Barracuda Backup), we are deploying patches to our hypervisors to mitigate these vulnerabilities.

If you have any questions regarding how these CVEs may impact your Barracuda solutions, please contact our support team by opening a case here or by sending an email to support@barracuda.com

Scroll to top
Tweet
Share
Share