News Feed

Latest end user interface on React platform now available with advanced authentication. The new interface is continually being rolled out to end users. For more information, see Email Gateway Defense New User Interface User Guide and Viewing and Changing Consent Policies in the Azure Portal.

On September 5,2023 Cloud Service Update for SecureEdge has been released. We are happy to announce that this release introduces syslog streaming and Barracuda XDR capabilities for SecureEdge. Also, includes user authentication during enrollment of SecureEdge Agents and improved Web Filter user experience.

For more information on syslog streaming, see How to Configure Syslog Streaming in SecureEdge.
For more information on XDR - SecureEdge integration, see How to Configure Barracuda XDR in SecureEdge.

Release and migration notes for Barracuda Secure Connector FSC 3.0 are now available online.

• FSC 3.0 firmware supports Barracuda Secure Connector 3.x and 2.x
• FSC 3.0 can be used in a SecureEdge environment.

Check out the release notes for details on improvements and fixes for FSC 3.0: https://campus.barracuda.com/doc/99620326

Our self-paced and instructor-led training courses for Barracuda Email Protection have received an update. All course materials now include the Zero Trust Access feature.

Find out more here: https://campus.barracuda.com/product/emailprotection/learn/

The self-paced training videos and the materials for instructur-led training courses for Barracuda Web Application Firewall have been updated to reflect the latest firmware 12.1

• Updated logging hands-on demo to showcase the improved logging pages and predefined filters
• Time based rules are can now be added to content and allow / deny redirect rules,  
• Updated Bot Protection section and added new hands-on demos on Form Spam and Client Proflies & Resc Scores

You can find the updated training courses here:

https://campus.barracuda.com/product/webapplicationfirewall/learn/

Our self-paced and instructor-led training courses for Barracuda Email Protection have received an update. All course materials now include the Data Inspector feature.

Find out more here: https://campus.barracuda.com/product/emailprotection/learn/

In order to prevent the impersonation of our trusted brand and avoid any confusion and risk for our customers, Barracuda Networks is taking steps to harden our email-sending domains to enforce DMARC policy. This important measure will prevent the potential threat of an adversary looking to impersonate Barracuda Networks to cause any harm to our customers. 

As we implement this control, we advise all our customers to change their notification email address and the SMTP server setting (where applicable) on their Barracuda Networks appliance(s) to use their domain/email address instead of 'Barracuda'. Please do so to ensure your email provider accepts your notification emails from your Barracuda Networks appliance. 

See How to Update Your Notification Email Addresses for instructions.

We are pleased to announce availability of the Barracuda Network Access Client 5.3.3 for Windows which includes the following improvements:

• VPN service no longer crashes when disconnected from VPN. (BNNGF-87586, BNNGF-86895)
• Network routes are now introduced correctly if Automatic Private IP Addressing (APIPA) is disabled. (BNNGF-87284)
• Network routes are now introduced appropriately if prior VPN connection was not terminated correctly. (BNNGF-89196)
• Installation of Credential Provider on ARM64 is now working correctly. (BNNGF-89565)
• Packets with incomplete/malformed IP header are no longer sent through VPN tunnel. (BNNGF-89555)

For more information please consult the release notes on Barracuda Campus.

We are happy to announce the release of firmware 8.3.2 containing numerous improvements.

For further information please consult the release notes as well as the migration notes on BarracudaCampus.

With CloudGen Firewall version 8.3.2 and 9.0.0 the new VFC model series for Barracuda CloudGen Firewall are now general available by May-01-2023. The new models fit for all platforms and make deployments in the cloud and/or virtual infrastructure much easier and more flexible.

The modern VFC model structure offers 6 sizes from 1 up to 48 cores without any further limitations regarding protected IPs, or number of computer users. VFC models are available as standard single appliance license or as enterprise license in conjunction with Firewall Control Center.

All platforms remain supported, thus the new BYOL VFC licensing can be used for:

The  VFC offering contains two Plans as our main offering, but a-la-carte remains available.

Premium Support can always be added-on optionally.

More detailed information can be found on the Barracuda website and campus.

Please contact your Barracuda Sales representative nearby, our renewals, or support team for further information.

We are happy to announce the release of CloudGen Firewall 9.0 containing over 200 innovations and improvements.

Some of the release highlights are:

• New user and file content policies
• HTTP/2 support
• Automated backups
• Automated security updates
• Support for virtual MAC addresses

For futher information please consult the release notes on BarracudaCampus.

On Feb 15th 2023, critical RCE Vulnerability was discovered in ClamAV Open Source Antivirus Software.

Following Barracuda Networks AppSec products are affected. 

1. Barracuda Web Application Firewall 
2. Load Balancer ADC    
3. Barracuda Web Application Firewall-as-a-Service

Barracuda Networks will be rolling out the fix via virusdef mechanism for the abovementioned products.

Please check Barracuda Trust Center  for details. 

Also, for any further clarification please reach out to Barracuda Support Team. 

Barracuda Networks: Following AppSec portfolio product-lines are vulnerable to the below mentioned CVE's, and the subsequent section details their identified effect.

1. Barracuda Web Application Firewall
2. Barracuda Web Application Firewall-as-a- Service
3. Barracuda Load Balancer ADC.

CVE Impact

• CVE-2023-0286 (High)          -  Impacts customers using CRL's
• CVE-2022-4304 (Moderate) - Affects deployment using RSA based ciphers
• CVE-2023-0215 (Moderate) - Affected as per vendor advisory
• CVE-2022-4450 (Moderate) - Affected as per vendor advisory
• CVE-2022-4203 (Moderate) –No effect as per available data 
• CVE-2023-0216 (Moderate) – No effect as per available data
• CVE-2023-0217 (Moderate) – No effect as per available data
• CVE-2023-0401 (Moderate) – No effect as per available data

WAF, WAFaaS, and ADC Advisory

We will be rolling out fix. Meanwhile for manual application of the fix, please get in touch with Barracuda Support Team.

Details:

• CVE-2023-0286: A type confusion vulnerability was found in OpenSSL when OpenSSL X.400 addresses processing inside an X.509 GeneralName. When CRL checking is enabled (for example, the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or cause a denial of service.
• CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficient to recover a ciphertext across a network in a Bleichenbacher style attack.
• CVE-2022-4203: A flaw was found in Open SSL. A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking.
• CVE-2023-0215: A use-after-free vulnerability was found in OpenSSL's BIO_new_NDEF function.
• CVE-2022-4450: A double-free vulnerability was found in OpenSSL's PEM_read_bio_ex function.
• CVE-2023-0216: A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. This may result in an application crash which could lead to a denial of service.
• CVE-2023-0217: A flaw was found in OpenSSL. An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function, most likely leading to an application crash.
• CVE-2023-0401: A NULL pointer vulnerability was found in OpenSSL, which can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data.

Severities: High

Barracuda Networks: Barracuda CloudGen Firewall firmware versions 8.0.x, 8.2.x and 8.3.x as well as Barracuda CloudGen WAN firmware versions 8.3.0 and higher are vulnerable to the mentioned OpenSSL vulnerabilites.

The respective hotfixes for immediate mitigation are available here:

CGF 8.0.6 - fixing CVE-2023-0286, CVE-2022-4304 and CVE-2023-0215
CGF 8.2.2 - fixing CVE-2023-0286, CVE-2022-4304, CVE-2023-0215 and CVE-2022-4450
CGF 8.3.1 - fixing CVE-2023-0286, CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217 and CVE-2023-0401

Important Notice:

If you install hotfix 1090 on 8.0.6 and update to 8.2.2 you will have to install hotfix 1091 afterwards to re-apply the fixes.
If you install hotfix 1091 on 8.2.2 and update to 8.3.1 you will have to install hotfix 1092 afterwards to re-apply the fixes.

We have published an update for our CGA01 - Barracuda CloudGen Access - Foundation series of training videos.

The videos are now reflecting version 2.0 of of CloudGen Access and cover new features like:

• CloudGen Access Policies
• Application Catalog
• SaaS Application Resources

You can find the updated training series here.

CVE: CVE-2022-41080  | CVSS: 9.8 | Severity: Critical

Description: CVE-2022-41080 vulnerability was discovered in MS Exchange servers 2013, 2016, and 2019. While ProxyNotShell exploit chain used CVE-2022-41040 (SSRF) vulnerability in the Autodiscover endpoint of MS Exchange, and the newfound OWASSRF exploit chain uses CVE-2022-41080 to achieve privilege escalation via MS Exchange Servers.

Barracuda Networks : Barracuda Web Application Firewall and Barracuda Web Application Firewall as a Service ( WAFaaS ) and Barracuda Load balancer ADC are not vulnerable to the said CVE.

Fix Update:

The fix will be pushed via attackdef for Barracuda Web Application Firewall and Barracuda Load Balancer ADC. 

Barracuda WAF-as-a-service accounts will be updated for the definition automatically.

It is advised to watch out for false positives from this pattern and to contact Barracuda Networks Technical Support as required.