The full security advisory is here:
Some industry reaction:
According to SEC Consult, however, the security definitions update still leaves three accounts on all devices -- cluster, remote, root -- which Barracuda told it are "essential for customer support and will not be removed." But SEC Consult warned that the password for the "root" account can be cracked, if it isn't sufficiently strong, and noted that although only Barracuda possesses the private key for the passwords for the "cluster" and "remote" accounts, this is a security problem. "This still leaves considerable risks to appliances as the password for the 'root' user might be crackable and the relevant private keys for the 'remote' user might be stolen from Barracuda Networks," said SEC Consult. "In secure environments it is highly undesirable to use appliances with backdoors built into them. Even if only the manufacturer can access them."
Security Week repeats mostly the same news.
The Register is characteristically sharp-tounged:
Backdoor root login found in Barracuda gear - and Barracuda is OK with this; Hidden accounts 'needed for remote tech support'
Remote tech support is hard work, as is systems security.
