R7-2019-39 | CVE-2019-5648: LDAP Credential Exposure in Barracuda Load Balancer ADC (FIXED)

R7-2019-39 | CVE-2019-5648: LDAP Credential Exposure in Barracuda Load Balancer ADC (FIXED)

This post describes CVE-2019-5648, a vulnerability in the Barracuda Load Balancer ADC. A malicious actor who gains authenticated, administrative access to a Barracuda Load Balancer ADC can edit the LDAP service configuration of the balancer and change the LDAP server to an attacker-controlled system, without having to re-enter LDAP credentials. These steps can be used by any authenticated administrative user to expose LDAP credentials configured in the LDAP connector over the network to the themselves.


CVE-2019-5648 is categorized as CWE-522 (Insufficiently Protected Credentials), and has a base CVSSv3 score of 8.7 (High).


Patches for CVE-2019-5648 have been distributed as security updates through the Barracuda patch management system. No user action is required unless security updates have been intentionally disabled. The patches will also be included in firmware version 6.5, which is scheduled for release in April 2020. As a general practice, users should periodically visit the Advanced -> Firmware Update page to ensure that the most recent firmware is installed.


Barracuda Load Balancer product description


The Barracuda Load Balancer ADC (hardware model 440Vx) is a high-performance load balancer intended to optimize and accelerate application delivery, as well as provide DLP and other security mechanisms. It can be deployed on-premises or in AWS, and is commonly used to build out scalable application infrastructure by a variety of organizations. More information about the device is available credential exposure barracuda balancer fixed