Barracuda Spam Firewall <= 3.1.10 acts as open relay for whitelisted senders.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Barracuda Spam Firewall <= 3.1.10 acts as open relay for whitelisted senders.
From: Sean Sosik-Hamor <ssh@xxxxxxx>
Date: Thu, 10 Feb 2005 11:27:58 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Description (www.barracudanetworks.com):

The Barracuda Spam Firewall is an integrated hardware and softwaresolution for complete protection of your e-mail server. It provides apowerful, easy to use, and affordable solution to eliminate spam andviruses from your organization.


Synopsis:

Under normal circumstances, the Barracuda Spam Firewall only relaystraffic for domains it is configured for. If a sender's domain or theBarracuda's own domain is whitelisted, however, all rules are bypassedand the Barracuda becomes an open relay for all e-mail sent from thewhitelisted domain. This is unacceptable behavior, and whitelistedsenders should only be able to send e-mail to domains for which theBarracuda is configured to relay.


Effected Versions:
<= Firmware 3.1.10 Open Relay for Whitelisted Domains
>= Firmware 3.1.11 Fixed (Firmware 3.1.12 Released 02/09/2005)

Notes:

Although I found this bug last week while evaluating the Barracuda SpamFirewall Model 200 (Firmware 3.1.10), a quick search of BarracudaNetworks' forums revealed other customers had complained about the sameproblem.


http://forum.barracudanetworks.com/bb/viewtopic.php?t=1545
http://forum.barracudanetworks.com/bb/viewtopic.php?t=1627
http://forum.barracudanetworks.com/bb/viewtopic.php?t=1535

Vendor Response via E-mail (02/08/2005):

The initial vendor response was misleading and inferred that theBarracuda will only become an open relay if you whitelist your owndomain.


Under the Block/Accept -> Sender Domain Block/Accept tab, if you do not
whitelist your own domains, you do not have to worry about the relaying
issue. Open relaying means people telnet to the Barracuda on port 25,
use "mail from: anybody@xxxxxxxxxx" and then "rcpt to" somewhere else on
the Internet. Your Barracuda is rejecting these activities and returns
"Recipient address rejected: No such domain at this location" when the
"rcpt to" domain is not one of the "Allowed Recipient Domains."

Your test below was successful because it is the same way that mails are
sent into your network.

Vendor Response via E-mail (02/09/2005):

The second vendor response verified my findings and confirmed a fixwould be available.


Basically anything in that causes the the email to be white listed will
bypass the scanning engine.
This is going to cause the barracuda to be a open relay, this issue is
fixed on the next release of the firmware.
The new firmware should be released by next week.

Release Notes (3.1.11):

Fix: Whitelisted senders no longer have the potential to use theBarracuda as a relay. Messages are rejected before acceptance insteadof afterwards if destined for a domain not listed on the system.


/Sean/

Prev by Date: [SECURITY] [DSA 673-1] New evolution packages fix arbitrary code execution as root
Next by Date: Re: iDEFENSE Security Advisory 02.07.05: IBM AIX chdev Local Format String Vulnerability
Previous by thread: [SECURITY] [DSA 673-1] New evolution packages fix arbitrary code execution as root
Next by thread: iDEFENSE Security Advisory 02.10.05: IBM AIX lspath Local File Access Vulnerability
Index(es):
- Date
- Thread