According to Austrian security company SEC Consult, several Barracuda products include a non-documented backdoor. The accounts affected are installed by default and can not be disabled. An attacker could use either SSH, or local console access, to log in using these account.

SEC Consult was able to crack some of the passwords for these accounts using the shadow file. The accounts do also have authorized ssh keys defined, but of course, it would be pretty hard to find the associated private key.

This issue affects various Barracuda products.

Default iptables firewall rules block access to port 22 from public IP addresses. But it appears that certain local networks are free to connect to port 22.

Barracuda published an alert rating this problem as "medium" [2]

[1] https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130124-0_Barracuda_Appliances_Backdoor_wo_poc_v10.txt
[2] https://www.barracudanetworks.com/support/techalerts

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter