========================================================================= Arcus Security Advisory ========================================================================= Product: Firewall Vendor: Barracuda Networks Inc. [1] CVE ID: 2014-4123 Subject: Open Redirect [2] Risk: Medium Author: Stefan Horlacher, Arcus Security GmbH Date: 2016-01-02 ========================================================================= Description: ------------ One of Barracuda Networks Inc products is their Firewall. The product suffers from an open redirect vulnerability. Vulnerable: ----------- BNF before 6.7.0. Workaround / Fix: ----------------- Update to BNF 6.7.0 or newer. Timeline: --------- 2014-09-16: Vendor notification 2014-11.07: Issue confirmed (Bug Bounty Notification) 2016-01-24: Advisory released References: ----------- [1] https://www.barracuda.com [2] https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards ========================================================================= Arcus Security GmbH Sihlquai 253 Postfach 8031 Zurich Tel.: +41 (0)44 271 44 00 Mail: info at arcus-security dot ch www.arcus-security.ch =========================================================================