=========================================================================

Arcus Security Advisory

=========================================================================

Product:  Web Application Firewall
Vendor:   Barracuda Networks Inc. [1]
CVE ID:   2014-4121
Subject:  Authentication Bypass [2]
Risk:     High
Author:   Stefan Horlacher, Arcus Security GmbH
Date:     2016-01-02

=========================================================================

Description:
------------
One of Barracuda Networks Inc products is their Web Application Firewall.
The product suffers from an authentication bypass vulnerability.

Vulnerable:
-----------
BNWF before 8.0.0.

Workaround / Fix:
-----------------
Update to BNWF or newer.

Timeline:
---------
2014-09-12: Vendor notification
2014-11.07: Issue confirmed (Bug Bounty Notification)
2016-01-24: Advisory released

References:
-----------
[1] https://www.barracuda.com
[2] https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management

=========================================================================

Arcus Security GmbH

Sihlquai 253
Postfach
8031 Zurich

Tel.: +41 (0)44 271 44 00
Mail: info at arcus-security dot ch
www.arcus-security.ch

=========================================================================