From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 24 Feb 2005 17:23:12 +0200
Subject: [NEWS] Barracuda Spam Firewall Mail Relay Restriction Bypassing
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050224172737.6C1EA57A7@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Barracuda Spam Firewall Mail Relay Restriction Bypassing
------------------------------------------------------------------------
SUMMARY
<www.barracudanetworks.com> The Barracuda Spam Firewall is "an integrated
hardware and software solution for complete protection of your e-mail
server. It provides a powerful, easy to use, and affordable solution to
eliminate SPAM and viruses from your organization".
It is possible to bypass the Barracuda product's configuration and cause
the Baracuda act as an open relay if the sender's domain is in the
whitelist.
DETAILS
Vulnerable Systems:
* The Barracuda Spam Firewall version 3.1.10 and prior.
Immune Systems:
* The Barracuda Spam Firewall version 3.1.11 (Firmware 3.1.12 was
released on 02/09/2005) or newer
Under normal circumstances, the Barracuda Spam Firewall only relays
traffic for domains it is configured for. If a sender's domain or the
Barracuda's own domain is whitelisted, however, all rules are bypassed and
the Barracuda becomes an open relay for all e-mail sent from the
whitelisted domain. This is unacceptable behavior, and whitelisted senders
should only be able to send e-mail to domains for which the Barracuda is
configured to relay.
Although this bug was found while evaluating the Barracuda Spam Firewall
Model 200 (Firmware 3.1.10), a quick search of Barracuda Networks' forums
revealed other customers had complained about the same problem.
<http://forum.barracudanetworks.com/bb/viewtopic.php?t=1545>;
http://forum.barracudanetworks.com/bb/viewtopic.php?t=1545
<http://forum.barracudanetworks.com/bb/viewtopic.php?t=1627>;
http://forum.barracudanetworks.com/bb/viewtopic.php?t=1627
<http://forum.barracudanetworks.com/bb/viewtopic.php?t=1535>;
http://forum.barracudanetworks.com/bb/viewtopic.php?t=1535
Vendor Status:
Vendor Response via E-mail (02/08/2005): The initial vendor response was
misleading and inferred that the Barracuda will only become an open relay
if you whitelist your own domain.
Under the Block/Accept -> Sender Domain Block/Accept tab, if you do not
whitelist your own domains, you do not have to worry about the relaying
issue. Open relaying means people telnet to the Barracuda on port 25, use
"mail from: [email protected]" and then "rcpt to" somewhere else on the
Internet. Your Barracuda is rejecting these activities and returns
"Recipient address rejected: No such domain at this location" when the
"rcpt to" domain is not one of the "Allowed Recipient Domains."
Your test below was successful because it is the same way that mails are
sent into your network.
Vendor Response via E-mail (02/09/2005): The second vendor response
verified the author's findings and confirmed a fix would be available.
Basically anything in that causes the the email to be white listed will
bypass the scanning engine. This is going to cause the barracuda to be a
open relay.
Release Notes (3.1.11):
Fix: Whitelisted senders no longer have the potential to use the Barracuda
as a relay. Messages are rejected before acceptance instead of afterwards
if destined for a domain not listed on the system.
ADDITIONAL INFORMATION
The information has been provided by <mailto:ssh@mac.com.> Sean
Sosik-Hamor.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
