[HN Gopher] Barracuda Urges Replacing - Not Patching - Its Email... ___________________________________________________________________ Barracuda Urges Replacing - Not Patching - Its Email Security Gateways Author : LinuxBender Score : 146 points Date : 2023-06-10 20:06 UTC (2 hours ago) (HTM) web link (krebsonsecurity.com) (TXT) w3m dump (krebsonsecurity.com) | znpy wrote: | I wonder what bcantrill's take on this will be. | | He's been on his personal holy war on firmware for years now, I'm | not joking, I'm curious to read his opinions on this issue. | | Maybe barracuda could use some kind of standalone 2u oxide server | instead of supermicro servers? ;) | brirec wrote: | With all due respect (and I really mean that -- bcantrill is | absolutely deserving of tremendous respect), why would using an | oxide server for the hardware be any different (better or | worse) than a SuperMicro server? | | And further, is it even possible to get Oxide equipment yet? Is | there even a timeline? Or is it still vaporware? | Ccubidu wrote: | Seems like they can only patch the application remotely - and not | the OS - at least not at the same time (patch OS - then after | reboot - let the app look for updates. The time between could | have been enough to compromise it again) | PragmaticPulp wrote: | Barracuda is providing replacement hardware at no cost. This | critical piece of information is buried halfway down the article: | | > In a statement, Barracuda said it will be providing the | replacement product to impacted customers at no cost | | Obviously the time and effort to replace a device isn't free, but | at least they're doing the right thing by acknowledging the issue | and doing what they can to fix it definitively. | samstave wrote: | Way cheaper than a lawsuit! | | But correct - its the right thing to do regardless of the true, | ultimate motivations... | | But what I'd like to know is the impact of this? Like - how | much corporate opportunity loss may have been created through | information breaches which were unknown... That will never be | known, unless we can assuredly say 'none' which is doubtful... | | - | | > _Barracuda said the vulnerability existed in the Barracuda | software component responsible for screening attachments for | malware_ | | Heh -- uhm... Isn't that like _ _THE_ _ _CORE_ _ component of | the devices job? | | Aside from ensuring filters on attachement egress blah blah... | | -- | | > _No other Barracuda product, including our SaaS email | solutions, were impacted by this vulnerability_ | | I'd like to hear them directly say that this specific ESG | device line was NOT used in their Email SaaS offerings? | | And to know exactly what ESG kit they are using? | | Seems like a reasonable request if you're a large (or any) | customer of theirs... | atesti wrote: | Is the message archiver also affected? | upon_drumhead wrote: | > "No other Barracuda product, including our SaaS email | solutions, were impacted by this vulnerability," the company | said. | wazoox wrote: | What's funny is that obviously, the Barracuda "appliance" is a | standard Supermicro 2U server :) | ocdtrekkie wrote: | This is often the case. VM appliances are all little Linux VMs | where the user just doesn't have access to the internals. Heck, | that's basically Docker containers too. | | Also, Barracuda cheaps out on these massively especially at the | low end. I've seen, in the modern Core i years, Barracuda 1U | appliances powered by Pentium III processors. I suppose they | are powerful enough for the job Barracuda is asking of them, | but it's worth a chuckle to see how many years old the chipset | they're shipping is. | | The hardware is absolutely the cheapest part of the stack for | them. | nickdothutton wrote: | Given that this looks to be just a particular build of Supermicro | server, I wonder what mechanism the malware uses to achieve | persistence such that a reformat or FS restore wouldn't take care | of it. Does anyone know if these devices have supermicro IPMIs on | them? Those are notoriously insecure (like most lights out | managers) and a great place to hide malware persistently. | | Edit: Typo. | kotaKat wrote: | They're not all Supermicro servers. Some are other mobo | vendors, I've seen some ESG 400s with MSI boards in them. | greggsy wrote: | If your IPMI is in any way exposed to anyone other than your | administrators, then you have other problems. These interfaces | should be segmented away from all other networks, irrespective | of any vulnerabilities they could have. | jwiz wrote: | Some supermicro will default to put IPMI on the shared | primary nic if the dedicated IPMI nic has no link at poweron. | Animats wrote: | This points out a major issue with IPMI and "management engine" | components on motherboards. If a vulnerability is found at the | lower levels, you may have to replace the hardware. Vendors may | be more reluctant to put that stuff in if it leads to legal | liability. | rvba wrote: | Is this the same super micro that hadd physical backdoors | inplemeted by china? | | https://www.bloomberg.com/news/features/2018-10-04/the-big-h... | ocdtrekkie wrote: | Yes except that article has remained wholly unsubstantiated | by facts for five years. It seems to have been bunk. | greggsy wrote: | That article captured the imagination of the public, but has | been derided by any and every cyber security professional | worth their salt almost from day dot. | | Despite this, Bloomberg have refused to retract it or supply | any credible sources, presumably because and continues to | draw traffic. | technion wrote: | And yet "do we have any backdoored supermicro hardware" is | a common question from non technical management, even | today. It's infuriating that it hasn't been retracted as | I'm still talking about it. It's also at the forefront of | insurance questions | hypothesis wrote: | Given that outsize influence, you would think they would | sue Bloomberg... I guess they don't really care... | technion wrote: | Write ups reviewing the malware never suggested such | persistence. This seems to be something done out of caution | rather than a specific finding. | greggsy wrote: | The writeups I'm reading suggest that the malware was | specifically designed to maintain persistence via firmware | (i.e. rootkits), typically attributable to state actors. | mikece wrote: | Careful what you ask for Barracuda: we were already looking at | replacing ours with non-Barracuda hardware and now that you are | saying old gear cannot be updated all I can say is thank you for | making my case to my managers. | MattGaiser wrote: | Given that the replacement will be free, doesn't that make your | case harder to make? | katbyte wrote: | It's certainly not free to arrange getting the new device, | swap, reconfigure, and hopefully you have HA to avoid | downtime. | JumpCrisscross wrote: | > _certainly not free to arrange getting the new device, | swap, reconfigure, and hopefully you have HA to avoid | downtime_ | | Compared to migrating to a new vendor? | thanksgiving wrote: | It is an email server. You can set up some kind of system | that "catches" incoming email while you take your hardware | offline and replace it. Your internal users won't be able | to send or receive emails but anyone outside the | organization would be none the wiser that your system was | down. If you notify ahead of time and can keep downtime to | under an hour, will it matter? | loloquwowndueo wrote: | Which you would need anyway if you switch to hardware from | a different vendor. | blantonl wrote: | He's already made up his mind, so he'll probably just leave | out this important tidbit when discussing the issue with | "management" | vyst44 wrote: | Can I ask - which competing devices are you planning to replace | these Barracuda email security gateway servers with? Thank you. | jokowueu wrote: | They note that "In a statement, Barracuda said it will be | providing the replacement product to impacted customers at no | cost" | | Would you still switch to a non barracuda device ? | insanitybit wrote: | If you have to go through the cost of a replacement anyways - | as in, the time and effort to actually do it - the cost of | the hardware matters a lot less. | Urist-Green wrote: | I suspect there is a higher level question at play stemming | from the "deny" comments. Do you think Barracuda is | uniquely vulnerable to these types of threats and, if not, | would their competitors make similar efforts to recover? | veave wrote: | If this is the mindset of some people it's no wonder that | companies would rather deny the problem and stick their | heads in the sand. | insanitybit wrote: | The mindset that changing a system out has risks and that | engineers/ops time is very expensive? | | I mean, I hear you, it sucks that being honest about the | issue is leading to punishment, but rationally this is | just how people are going to end up responding. If they | really want to avoid this, don't give it to them for | free, _pay them_ for it. | phpisthebest wrote: | the physical cost of the equipment is often the cheapest part | of a deployment. | shrubble wrote: | Is it likely they will analyze the firmware on the ones that come | back, then wipe them and resell them either thru a refurbisher or | even put the new software on the known-good server and use | elsewhere, such as in the datacenter where they have their SaaS | offering? | nubinetwork wrote: | We know already... https://news.ycombinator.com/item?id=36061772 | https://news.ycombinator.com/item?id=36136705 | https://news.ycombinator.com/item?id=36143926 | https://news.ycombinator.com/item?id=36156908 | https://news.ycombinator.com/item?id=36233472 | https://news.ycombinator.com/item?id=36238822 | https://news.ycombinator.com/item?id=36248328 | https://news.ycombinator.com/item?id=36255901 | https://news.ycombinator.com/item?id=36261519 | https://news.ycombinator.com/item?id=36263581 | https://news.ycombinator.com/item?id=36267639 | Prickle wrote: | I only saw it on twitter, not here. | sbierwagen wrote: | None of those submissions have more than 13 points. | [deleted] | throwaway54_56 wrote: | "We" doing some heavy lifting here | DirectorKrennic wrote: | Ah, the Royal "We". | dools wrote: | The editorial | jokoon wrote: | Why doesn't the NSA just AUDITS actual source code of the | software that it deems it deserves to increase its security? | | I mean it's obviously an interest to national security. | | They could do that while maintaining the backdoors they want to | keep so they can have an edge on cyber warfare. | hgsgm wrote: | Why would a vendor give their source code to the NSA to attack | and also risk leak? | | The NSA does not protect the public's computers, they attack | them. | EdwardDiego wrote: | What makes you think this wasn't the NSA? | r3trohack3r wrote: | This actually seems great. They're taking the hard path here | admitting the devices are compromised, that the state can't be | trusted, and that the machine needs to be tossed. Then they're | offering to replace the vulnerable devices. | | I'm used to companies taking the "deny, deny, deny" route and | these articles are then written by their community saying the | response is insufficient. ___________________________________________________________________ (page generated 2023-06-10 23:00 UTC)