Barracuda Disclosed Critical Vulnerabilities in WAF, Affecting File Upload and JSON Protection
Barracuda recently issued a security advisory confirming the presence of 7 security vulnerabilities, ranging from high to critical severity, within their WAF (Web Application Firewall) product.
Barracuda WAF is a security solution for safeguarding web applications against diverse threats and attacks. Available as a cloud-delivered service, it offers simplicity, scalability, and comprehensive application security, including Distributed Denial-of-Service (DDoS) protection.
The identified vulnerabilities make it possible to bypass the protection functions of the WAF, and could lead to Local File Inclusion (LFI) or Remote Code Execution (RCE).
In this blog post, we will share the details of the vulnerabilities, outlining their impact and offering a concise overview to aid those using Barracuda WAF and affected by these security concerns.
Which Barracuda WAF Versions Are Affected by the Vulnerabilities?
Before we begin dissecting the vulnerabilities in Barracuda WAF, here are the affected firmware versions:
- 11.x
- 12.0
- 12.1
Barracuda has addressed the vulnerabilities in firmware version 12.2 and identifies them in two separate categories in its advisory – the first category of vulnerabilities is deemed critical, while the second category includes high and critical severity issues.
Details of Barracuda WAF Vulnerabilities – Category 1
The collective of vulnerabilities highlighted in the Barracuda advisory result from the lack of a default deny approach, allowing unauthorized and unapproved actions to be performed. Specifically, in the case of Barracuda WAF vulnerabilities, this enables the exploitation of methods that are not defined in the policies, potentially leading to the execution of malicious activities.
The vulnerabilities categorized under ‘Category 1’ arise from limitations within Barracuda WAF’s file upload protection feature. It has been discovered that security settings can be circumvented by employing HTTP methods other than POST, notably PUT.
Barracuda states that, while the method is not allowed by default, it enables the creation or alteration of resources, thereby bypassing the file upload security policies and restrictions, consequently allowing the upload of malicious files and potentially triggering RCE or local file inclusion issues.
Below are the vulnerability identifiers (VIDs) under Category 1:
VID 1.1: Using the PUT method and uploading multiple files in one request can bypass the “Max Allowed Files” count set on Barracuda WAF. Barracuda recommends configuring Maximum Upload Files to the required value after the upgrade, and the recommended value is 5.
VID 1.2: Using a method other than POST can bypass the security settings limiting the allowed MIME file types on the WAF. If the WAF administrator restricts MIME types to prevent the upload of executables, which can lead to RCE or CFI (Control-Flow Integrity) vulnerabilities being exploited, the protection measures can be bypassed by using a method like PUT.
VID 1.3: Using a method other than POST, like PUT, an attacker can bypass the antivirus engine used by a WAF administrator to protect a backend application from malicious file uploads.
VID 1.4: If the WAF administrator uses the Barracuda Advanced Threat Protection (ATP) engine to protect a backend application, the protection measures can be bypassed by an attacker using a method other than POST, like PUT. Barracuda states that users subscribed to ATP can request a support-assisted firmware patch.
Details of Barracuda WAF Vulnerabilities – Category 2
The vulnerabilities categorized under ‘Category 2’ stem from limitations in the JSON security protection module of the Barracuda WAF. This protection can be bypassed if attackers use HTTP methods not specified in the JSON security policy.
The firewall’s default JSON security policy is set to POST methods. In website profile settings, methods are restricted to those in the policy, blocking others. Method settings within JSON security policies serve as matching criteria. If the method does not match the policy settings, the payload bypasses failsafe checks.
Here are the vulnerabilities detailed under Category 2 in the Barracuda advisory:
VID 2.1: When an administrator uploads an API specification file (e.g., OAS/Swagger), endpoint policies are created based on the file. However, policies may allow malicious payloads with methods other than those defined, bypassing checks.
VID 2.2: Uploading an API specification file (e.g., OAS/Swagger) establishes endpoint policies, but a “last resort” policy is not set for endpoints not in the OAS. Attackers can exploit this by sending malicious payloads to such endpoints, bypassing security checks. As a protection measure, it is recommended to manually set Extended Match to * for a default JSON profile after the upgrade.
VID 2.3: The default JSON security policy on the WAF only protects JSON payloads over the POST method. It is noted that this issue occurs due to a design limitation, and the policy bypasses parsing without a global failsafe mechanism. After the upgrade, Barracuda recommends manually configuring the default JSON profile by setting Extended Match to *, enabling Strict Method Check, and setting Allowed Methods as required for API endpoints.
For additional information on these security vulnerabilities and remediation, visit the official advisory.
Take Control of Your Security Posture with SOCRadar’s Next-Level Vulnerability Detection
Organizations can identify and assess vulnerabilities in their systems through SOCRadar’s vulnerability detection capabilities – the platform continuously monitors the threat landscape, including the most recent vulnerabilities and exploits, providing real-time alerts whenever critical vulnerabilities or exploits are discovered for pre-defined product components and technologies associated with an organization’s digital footprint. Explore the platform’s full capabilities through Freemium.