Update 4/22/2014: An email was sent to Copy users regarding password security.
Update 4/18/2014: An email was sent to SignNow users regarding password security.
Update 4/18/2014: A tech alert was published regarding the Barracuda Firewall firmware. Click here to view the tech alert.
Update 4/12/2014: For more information about specific products and the Heartbleed vulnerability please see
Please check this page for any updates to other Barracuda products.
Barracuda has released a Tech alert regarding the CVE-2014-0160: OpenSSL heartbleed vulnerability. This tech alert explains the OpenSSL vulnerability and identifies which products were affected. Additionally it lists the specific steps taken by Barracuda to ensure that all web properties, cloud products, and appliances are secure.
The products affected by the OpenSSL vulnerability are,
- Barracuda Web Filter Version 7.0 through 7.1
- Barracuda Message Archiver Version 3.5 and 3.6
- Barracuda Web Application Firewall Version 7.8
- Barracuda Link Balancer Version 2.5
- Barracuda Load Balancer Version 4.2
- Barracuda Load Balancer ADC Version 5.0 through 5.1
- Cudatel Version 3.0 and earlier
- Barracuda Firewall 6.1
- Barracuda Cloud Control
- Barracuda Backup Service
- Barracuda Email Security Service
The Barracuda Spam Firewall, Barracuda SSL VPN, and Barracuda NG Firewall were not affected by the OpenSSL vulnerability.
The entire tech alert is available on our Tech Alert page here and at the end of this post.
If you have any questions regarding the tech alert, please contact our support team at 888-268-4772.
### Full Tech Alert follows ###
Title: Barracuda Networks products and CVE-2014-0160: OpenSSL Heartbleed vulnerability
All Affected Products: Barracuda Web Application Firewall, Barracuda Web Filter, Barracuda Message Archiver, Barracuda Firewall, Barracuda Load Balancer ADC, Barracuda Load Balancer, Barracuda Link Balancer, Cudatel, Barracuda Email Security Service, Barracuda Backup Service, Barracuda Cloud Control, Copy, and SignNow
Risk Rating: High
All Barracuda web properties, cloud products, and appliances are now secured from the OpenSSL heartbleed vulnerability. Barracuda is not aware of any actual exploits of this vulnerability in any of our products or services.
On April 7, 2014 an exploitable vulnerability in OpenSSL was reported by US-CERT/NIST. OpenSSL is widely used in internet infrastructures, and this vulnerability was introduced into OpenSSL in December 2011. The vulnerability is the result of a missing bounds check in the OpenSSL code that handles the TLS 'heartbeat' messages. Someone with malicious intent can exploit this vulnerability by requesting that a running TLS server return up to 64KB of its private memory space. Since this is the same memory space where OpenSSL stores the server's private key material, an attacker can potentially obtain long-term server private keys, TLS session keys, or usernames / passwords. The vulnerability was first introduced in OpenSSL release version 1.0.1 on March 14, 2012. OpenSSL 1.0.1g, released on April 7, 2014, fixes the vulnerability. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 for additional details.
We have been patching and testing our products and services to secure them against this vulnerability, and have been following the internet security industryís recommended procedures.
Securing Appliance Products
∑ We have released updated, secured, versions of all affected products.
∑ On April 11, 2014, Barracuda issued a Security Definition, version 2.1.12177, which secures all affected Barracuda products in the field.
Securing Cloud Services
∑ All Barracuda cloud services: Barracuda Cloud Control, Barracuda Backup Service, Barracuda Email Security Service, Copy, and SignNow have been patched to ensure they are no longer vulnerable. This action was completed on Wednesday, April 9, 2014.
∑ SSL certificates have been re-keyed and re-issued for all services. Old certificates are being revoked.
∑ We are forcibly resetting all browser sessions. Users may have been logged out as a result of this reset. This was a simple and low-impact method to protect any session keys that may have been compromised.
Affected Appliance Firmware Versions:
∑ Barracuda Web Filter Version 7.0 through 7.1
∑ Barracuda Message Archiver Version 3.5 and 3.6
∑ Barracuda Web Application Firewall Version 7.8
∑ Barracuda Link Balancer Version 2.5
∑ Barracuda Load Balancer Version 4.2
∑ Barracuda Load Balancer ADC Version 5.0 through 5.1
∑ Cudatel Version 3.0 and earlier
If any customer has questions or concerns, please contact Barracuda Networks technical support at 408-342-5400
Updated information is available and will be posted as available on Barracudaís product management blog: http://cuda.co/heartbleed