=========================================================================

Arcus Security Advisory

=========================================================================

Product:  Firewall
Vendor:   Barracuda Networks Inc. [1]
CVE ID:   2014-4123
Subject:  Open Redirect [2]
Risk:     Medium
Author:   Stefan Horlacher, Arcus Security GmbH
Date:     2016-01-02  

=========================================================================

Description:
------------
One of Barracuda Networks Inc products is their Firewall.
The product suffers from an open redirect vulnerability.

Vulnerable:
-----------
BNF before 6.7.0.

Workaround / Fix:
-----------------
Update to BNF 6.7.0 or newer.

Timeline:
---------
2014-09-16: Vendor notification
2014-11.07: Issue confirmed (Bug Bounty Notification)
2016-01-24: Advisory released

References:
-----------
[1] https://www.barracuda.com
[2] https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

=========================================================================

Arcus Security GmbH

Sihlquai 253
Postfach
8031 Zurich

Tel.: +41 (0)44 271 44 00
Mail: info at arcus-security dot ch
www.arcus-security.ch

=========================================================================