The Barracuda Spam Firewall has been renamed the Barracuda Security Gateway.

Transcription

1 Before installing any firmware version, back up your configuration and read all release notes that apply to versions more recent than the one currently running on your system. Do not manually reboot your system at any time during an update, unless otherwise instructed by Barracuda Networks Technical Support. Depending on your current firmware version and other system factors, updating can take up to 10 minutes. If the process takes longer, please contact Barracuda Technical Support for further assistance. Before upgrading, BE SURE TO TAKE THE BARRACUDA SECURITY GATEWAY OFFLINE. This will ensure that the inbound queue is emptied and all messages are scanned before the update process begins. See the BASIC > Administration page for the Offline button. Updating to Version 8.x WARNING: After clicking the Apply Now on the ADVANCED > Firmware Update page, the progress bar may appear to time out and the administrator may need to manually return to the login screen after 5 minutes if it doesn't load automatically in the browser. Firmware Version 8.0 What's New in Version 8.0 The Barracuda Spam Firewall has been renamed the Barracuda Gateway. Barracuda Exchange Antivirus Agent The Barracuda Exchange Antivirus Agent no longer supports Microsoft Exchange Server See How to Get and Configure Barracuda Exchange Antivirus Agent 8.x for details. Fixed in Version 8.0 Version Fixed bug affecting mail processing after upgrading the firmware. [BNSF-26691] Version Barracuda Outlook Add-in Enhancement: Added support for TLS 1.1 and TLS 1.2. [BNSF-25586] Notifications Enhancement: The system administrator and recipient can receive notifications when a message is blocked due to a virus. Configure on the ADVANCED > Bounce/NDR Settings page. [BNSF-25486] Improved spam scanning. [BNSF-26591] 1 / 23

2 Version Barracuda Exchange Antivirus Agent Feature: Added support for Microsoft Exchange Fix: A Welcome is not sent when a new user account is created due to a quarantined . [BNSF-25904] High severity vulnerability: authenticated, remote code injection [BNSEC-6613 / BNSF-25407] High severity vulnerability: unauthenticated, remotely exploitable, code injection [BNSEC-6223 / BNSF-24618] High severity vulnerability: remotely exploitable, buffer overflow [BNSEC-2012 / BNSF-24897] Medium - High severity vulnerability: unauthenticated, remotely exploitable, denial of service (DoS), ssl weakness [BNSEC-7107 / BNSF-25937] Medium - High severity vulnerability: unauthenticated, remotely exploitable, limited HTML content control, XSS delivered outside of the web based interface [BNSEC-6227 / BNSF-24635] Medium - High severity vulnerability: unauthenticated, remotely exploitable [BNSEC-6225 / BNSF-24621] Medium severity vulnerability: non-persistent XSS [BNSEC-2678 / BNSF-23507] Version Enhancement: Mail with Microsoft Office attachments that contain macros can be blocked. [BNSF-23786] Resolved issue which prevented the Dashboard from displaying during update server outages. [BNSF-25934] Resolved issue preventing access to ADVANCED > Energize Updates and ADVANCED > Firmware Update pages when the Barracuda Gateway was offline. [BNSF-25929] Barracuda Exchange Antivirus Agent Enhancement: The Barracuda Exchange Antivirus Agent supports Microsoft Exchange Server [BNSF-25828] Version Enhancement: Improved Sender Spoof Protection efficiency. [BNSF-25835] Resolved issue which could cause excessive system load. [BNSF-25831, BNSF-25884] Resolved issues with malformed headers causing incorrect parsing. [BNSF-25836, BNSF-25838] Resolved issue with Multi-Level Intent Analysis. [BNSF-25907] Clustering Improved handling of Standby mode in a clustered system. [BNSF-25797] 2 / 23

3 Version Outbound messages from whitelisted IP addresses are now properly checked for encryption if encryption is enabled. [BNSF-25732] Links in the BASIC > Message Log message view page now work properly. [BNSF-22345] Version Outbound messages from whitelisted IP addresses are now properly checked for encryption if encryption is enabled. [BNSF-25732] Version Improved attachment filtering/detection. [BNSF-25491] Version Downloading a PDF file attached to a message from the Message Log through BAC/BCS works as expected. [BNSF-25536] Attachment filtering blocks correctly even if MIME type encoding is not formatted correctly. [BNSF-20598] Messages received by the Barracuda Gateway which are just under the maximum message size are processed properly and are not blocked. [BNSF-25500] When the From header of a message has an unusual format, the unit does not time out when attempting to deliver the message from the user's quarantine inbox. [BNSF-25254] SMTP over TLS for outbound mail works as expected, the mail queues and delivers properly and the logs do not indicate errors. [BNSF-25437] Outbound quarantine s with multi-line From headers due to UTF8 are delivered as expected. [BNSF-25309] Notifications The Barracuda Gateway no longer sends out notifications that state "Encrypted unable to be delivered" for s that trigger encryption policies and have a blank sender. [BNSF-17895] Alert announcing that Energize Updates subscription is about to expire is now branded correctly as Barracuda Gateway. [BNSF-25615] NDRs are not rejected by some mail servers, including O365, if they don't include a valid From header. [BNSF-25612] The Configuration Updated message only shows on web interface pages as needed. [BNSF-25566] Street Address and Driver's License information in s trigger Privacy policies as expected. [BNSF-24772] When specifying a filename for an attachment content filter, the pattern specified (filename= <example_filename>) works when there is a space between the "= " and the filename. [BNSF-25491] Fix: resolved the following vulnerabilities: 3 / 23

4 Version High severity vulnerability: persistent XSS, authenticated [BNSEC-6504 / BNSF-25215, BNSEC-4551 / BNSF-22345] Enhancement: Improved performance of IP Whitelisted and outbound message scanning. [BNSF-23352, BNSF-24293] Enhancement: Improved street address and driver's license detection. [BNSF-24388] Enhancement: Improved error handling for 'full disk' condition. [BNSF-24622] Enhancement: Added macro support for SPF records with macros. [BNSF-24659] Enhancement: Improved general performance of mail scoring and attachment scanning. [BNSF-24473] Enhancement: General improvements in PDF processing capabilities. [BNSF-24846] Enhancement: Improved HIPAA and Credit Card data detection. [BNSF-25026, BNSF-25028] Fix: Updated internal scanning processes to improve stability. [BNSF-21928, BNSF-24241, BNSF-25268] Fix: Resolved intermittent PTR detection issue. [BNSF-24546] Fix: Users who lack a mail attribute in LDAP are now properly quarantined. [BNSF-25136] Fix: LDAP Alias re-writing no longer rewrites the "To" header. [BNSF-25141] Fix: Lines exceeding 990 characters are no longer broken in multiple places. [BNSF-25206] Enhancement: Administrative ACLs can be temporarily removed through the Console Administrator with the System > Reset Administrator IP/Range selection. [BNSF-23352] Enhancement: Invalid username and password attempts are now logged to the Web Syslog. [BNSF-24629] Enhancement: Improved performance of bulk classification of Spam/Not Spam. [BNSF-25000] Enhancement: Messages with unknown character sets are now treated as UTF-8. [BNSF-25086] Enhancement: Updated Japanese help file translations. [BNSF-25088] Enhancement: Improved web interface load times in general, and especially for BASIC > IP Configuration. [BNSF-25193, BNSF-25199] Fix: Message viewer Download and Delivery buttons now show properly for all window sizes. [BNSF-24177] Fix: Miscellaneous web interface improvements. [BNSF-24300, BNSF-24381] Fix: New user quarantine links now work properly. [BNSF-24404] Fix: Users with an '&' in the name can now view the Quarantine Inbox. [BNSF-24764, BNSF-24961] Fix: Outbound Quarantine actions no longer result in an error page. [BNSF-24858] Fix: Invalid users can be removed. [BNSF-24860] Fix: Randomization has been improved for password generation. [BNSF-24995] Fix: The details for messages blocked without message bodies can now be viewed on all systems in a cluster. [BNSF-24973, BNSF-25053] Reporting Fix: Fixed display of erroneous 'Permission denied'. [BNSF-24600] Fix: LDAP Failure Notifications are no longer triggered by outdated logs. [BNSF-25180] Encryption Fix: Replies to encrypted s are now archived. [BNSF-24496] Virtualization Enhancement: Tuned database configuration for Microsoft Azure, Amazon AWS, and VMWare vcloud Air. [BNSF-24836] 4 / 23

5 Barracuda Outlook Add-in Fix: Resolved issue preventing Add-in authorization for some usernames. [BNSF-23766] Fix: Resolved issue which could cause the Add-in to appear in the wrong window. [BNSF-24585] Fix: The Add-in can now be used from an IP address in the Administration ACL IP Range. [BNSF-24759] Fix: resolved the following vulnerabilities: High severity vulnerability: authenticated, remotely exploitable, arbitrary command execution [BNSEC-5205 / BNSF-23281] High severity vulnerability: unauthenticated, remotely exploitable, brute force, [BNSEC-5204 / BNSF-23282] High severity vulnerability: remotely exploitable, privilege escalation [BNSEC-5203 / BNSF-23285] Medium severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4622 / BNSF-24136] Medium severity vulnerability: non-persistent XSS, authenticated [BNSEC-3880 / BNSF-21745] Medium severity vulnerability: authenticated, insufficient authorization [BNSEC-2659 / BNSF-22336] Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-2055 / BNSF-21775] Low severity vulnerability: Some non-persistent cross-site scripting vulnerabilities have been fixed. [BNSEC-877 / BNCMN-132] Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-228 / BNSF-18340] [BNSF-22345], [BNSF-25215] Firmware Version 7.1 What's New in Version 7.1 The Microsoft IE browser is supported for version 9 and above. Barracuda Exchange Antivirus Agent The new Barracuda Exchange Antivirus Agent 7.1 runs as a Windows service on your Microsoft Exchange 2013 server and enables it to scan for viruses. From the ADVANCED > Exchange Antivirus page you can download the agent and view associated statistics after it is installed and running. You can also click a link on the page to view the Barracuda Exchange Antivirus Agent release notes. This version of the agent only supports Microsoft Exchange Server If you are using versions 2007 or 2010 of Exchange Server, you can download the Barracuda Exchange Antivirus Agent 6.0.x from the ADVANCED > Exchange Antivirus page. The Barracuda Exchange Antivirus Agent no longer supports Microsoft Exchange Server See How to Get and Configure Barracuda Exchange Antivirus Agent 7.1 and Above for details. Cloud Control Support for Domain Administration and Users management - Barracuda Cloud Control now supports managing domains and users. Administrators will have the ability to navigate between domains and users within Barracuda Cloud Control. 5 / 23

6 Fixed in Version 7.1 Version Note: This release removes LED mail determination flash indicators on the front panel to improve performance. Enhancement: Improved detection of stuck mail processing. [BNSF-24498] Enhancement: Removed the SSLv2 protocol and EXPORT and LOW strength ciphers. Improved set of ciphers as specified in ADVANCED > Protocol > SMTP over TLS/SSL > Allow Weak Ciphers. [BNSF-25283] Fix: Resolved issue on newer models where messages may not appear in the Message Log. [BNSF-23371] Fix: Resolved issue in which some Domain Administrators and Helpdesk Users who could not view messages. [BNSF-23920, BNSF-24892] Reporting Fix: LDAP Failure Notification report now includes an attachment with additional information for troubleshooting. [BNSF-17538] Encryption Fix: Resolved issue that could sometimes send duplicate s when replies were sent to encrypted s through the Barracuda Message Center. [BNSF-23969] Fix: resolved the following vulnerabilities: Medium severity vulnerability: Update OpenSSL to address CVE (commonly known as "DROWN") and CVE [BNSEC-6568 / BNSF-25307] Version Cloud Control Fix: Resolved condition which could prevent connection to Barracuda Cloud Control after firmware upgrade or upon the first connection. [BNSF-24814] Barracuda Exchange Antivirus Agent Enhancement: Added support for Microsoft Outlook Version Enhancement: Improved scanning for s with large attachments. [BNSF-23864] Enhancement: Improved attachment processing for malformed attachments. [BNSF-24245] Fix: Resolved rare condition where per-user quarantining would still take affect when disabled. [BNSF-22343] 6 / 23

7 Enhancement: Use numeric sorting for Size column on Advanced > Queue Managment page. [BNSF-19427] Enhancement: Updated Japanese help file translations. [BNSF-24598] Fix: Resolved condition where some Product Tips would not stay hidden. [BNSF-24583] Barracuda Outlook Add-in Enhancement: Support for MS Outlook Version Enhancement: Improved SPF checks for complex records. [BNSF-23979] Enhancement: Resolved case sensitivity with redirection checks. [BNSF-23979] Enhancement: Improved DLP detection. [BNSF-24186] Fix: Resolved case sensitivity issue with SPF and redirection checks. [BNSF-23876, BNSF-24102] Fix: Messages no longer have the global footer attached if Attach Footer is set to No on the ADVANCED > Outbound Footers page at the domain level. [BNSF-24148] Enhancement: Messages that are blocked for intent now contain a link to whitelist the sender. [BNSF-24372] Enhancement: Updated Japanese translations. [BNSF-23486] Enhancement: Messages that are allowed for reg now contain a link for reporting reg abuse. [BNSF-24373] Enhancement: Improved appearance for popups in Firefox and Internet Explorer. [BNSF-23986] Enhancement: Improved performance of data entry for pages containg large amounts of data. [BNSF-24152] Enhancement: Improved display of Exchange Antivirus data with multiple Exchange Servers. [BNSF-24220] Enhancement: Improved handling of message bodies for Bayesian classification. [BNSF-24368, BNSF-24370] Fix: Marking messages as Spam/Not Spam in the Message Log is now reflected properly on all units in a cluster. [BNSF-9564, BNSF-22576] Fix: Resolved an issue where users sometimes could not deliver or delete quarantine messages. [BNSF-22902] Fix: Clicking action links on the BASIC > Outbound Quarantine page at the domain level no longer redirects to the Dashboard. [BNSF-23840] Fix: Message Log now shows correct Delivery Status for all messages in a cluster. [BNSF-23897] Fix: The State filter on the ADVANCED > Queue Management page now correctly applies for non- English languages. [BNSF-23917] Fix: Changes to the BLOCK/ACCEPT > Recipient Filters page now take immediate effect on all units in a cluster. [BNSF-24089] Fix: Resolved issue where sometimes the Delivery Status in the Message Log would not show correct information. [BNSF-24096] Fix: Messages can now be viewed on all units in a cluster. [BNSF-24140] Fix: Fixed issue with taking action on quarantined mail in clusters consisting of 3 or more units. [BNSF-24207] Fix: Fixed display of usernames with special characters. [BNSF-24253] Fix: Fixed issue where new units may not show initial messages in the Message Log. [BNSF-24309] Fix: Attachments are again displayed for the end user quarantine. [BNSF-24367] Fix: Domain administrators can now view messages in the Message Log. [BNSF-24374] 7 / 23

8 Fix: Help dialogs now show correct titles for multi-byte/high-ascii encoding. [BNSF-24376] Backup Fix: Restoring a backup to a virtual machine no longer overwrites the license token. [BNSF-23846] Fix: resolved the following vulnerabilities: BNSEC-877, BNCMN-132: fix, low severity. Some non-persistent cross-site scripting attacks have been fixed. Version Fix: Resolved issue where statistics did not display in Barracuda Appliance Control after Barracuda Gateway was rebooted. [BNSF-24079] Fix: End users can now log in if the Barracuda Gateway cannot check subscriptions, such as when the internet is unavailable. [BNSF-24122] Version Fix: Messages containing hostnames that are IP addresses in messages are correctly processed. [BNSF-21784, BNSF-23457] Enhancement: Updated translations. [BNSF-23792, BNSF ] Enhancement: General web interface enhancements in font, color, and styling. [BNSF-23167, BNSF-23169, BNSF-23171] Enhancement: Improved display of Barracuda Exchange Antivirus Statistics. [BNSF-23791] Fix: Resolved issue regarding Single Sign-On with LDAP hosts with IPv4 and IPv6 addresses. [BNSF-21422] Fix: Online Help Search in Firefox correctly supports the Japanese IME keyboard. [BNSF-23116] Fix: On the BASIC > Outbound Quarantine page, taking actions with messages such as Delete, Reject or Deliver no longer clear the search filters. [BNSF-23134] Fix: Message Log buttons and icons for IE 9 render correctly. [BNSF-23882] Fix: When using Single Sign-On (SSO) with an LDAP Server Type of Other (see the USERS > LDAP Configuration page for a domain), the Barracuda Gateway now only uses the userprovided filter for an LDAP search, preventing a timeout. [BNSF-23996] Fix: Admin, Domain Admin and Helpdesk roles can now deliver user quarantined messages from the Quarantine inbox when the locale is Multibyte. [BNSF-24062] Fix: Report data displayed with the Show Report function now matches the data in the ed report, as the Show Report function now uses local time for the Date Range as opposed to UTC time. [BNSF-24004] Barracuda Exchange Antivirus Agent Enhancement: Barracuda Exchange Antivirus Agent 7.1 verifies signature integrity prior to loading the signatures. [BNSF-21154] Fix: resolved the following vulnerabilities: High severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4672 / 8 / 23

9 BNSF-22625] High severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4670 / BNSF-22626] High severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4669 / BNSF-22624] Firmware Version 7.0 What's New in Version 7.0 Updated the Barracuda Gateway web interface with a new color scheme to be consistent with the look and feel with other Barracuda products. There are no navigation changes. New login security feature: If the user login fails 5 times, there is a 15 minute wait period before making another login attempt. The BASIC > Status page has been renamed to BASIC > Dashboard. Improved Performance and Mail delivery now supports connection caching, thereby reducing the amount of network traffic as well as load on destination mail servers. TLS support is improved and now provides: Better fallback negotiation Wildcard support for requiring TLS to destination domains and sub-domains Certificate validation Barracuda Gateway Vx virtual machines now show the core capacity and usage on the BASIC > Dashboard page. Fixed in Version 7.0 Feature: SMTP response codes for rejected messages can now be customized on the ADVANCED > SMTP Responses page. [BNSF-20867] Enhancement: Added support for Recipient Addresses which include address tagging. See Recipient Delimiter on the ADVANCED > Protocol page for more information. [BNSF-7518] Enhancement: Outbound mail now supports connection caching to destination mail servers. [BNSF-18823] Enhancement: Updating a per-domain recipient whitelist now takes immediate effect, no longer requiring a Reload. [BNSF-19025] Enhancement: Improved TLS fallback and detection behavior. [BNSF-19178] Enhancement: The setting for Require Encrypted TLS relaying to these destination servers now supports domain names, and wildcards, rather than specific servers. Click the Help button on the domain level ADVANCED > Protocol page for more information. [BNSF-19640] Enhancement: Requiring TLS to a destination domain now supports certificate validation instead of checking the hostname. [BNSF-19807] Fix: Fixed issue where mail could intermittently stop processing. [BNSF-14626] Fix: Outbound mail delivery no longer attempts to use IPv6 if the system is configured to only use IPv4. [BNSF-19703] Fix: Mail which bounced (return notification) due to an un-reachable server no longer shows as Deferred in the Message Log. [BNSF-19347] Fix: Comma delimiters separating destination mail servers now correctly enable load balancing. [BNSF-19397] Fix: Load balancing mode now properly handles fail-over if the attempted destination mail server is unreachable. [BNSF-19398] 9 / 23

10 Fix: Certain attachment types no longer cause an error when adding footers to s. [BNSF-21580] Fix: SPF outbound checks now properly handles private IP addresses and relays between Barracuda Gateways. [BNSF-21586, BNSF-22010] Fix: Barracuda Reputation and RBL IP Exemption Ranges now work as expected with Trusted Forwarders. [BNSF-22623] Fix: Multiple messages in a single session with invalid recipients no longer works with whitelisting as expected. [BNSF-22478] Fix: Outbound s no longer erroneously include footers configured for other domains if a system wide footer is not configured. [BNSF-22495] Fix: Inbound mail are no longer incorrectly caught by Predefined credit card filters when the Link Domains feature is used and the primary domain is not fully configured. [BNSF-22874] Enhancement: Viewing a message now records the event in Web Syslog (see ADVANCED > Troubleshooting). [BNSF-7402] Enhancement: The addition of users now verifies that the domain exists on the Barracuda Gateway before adding a user for that domain. [BNSF-20188] Enhancement: Updated translations. [BNSF-22551, BNSF-22707] Enhancement: Support for recently changed time zone/daylight savings times including Moscow and Fiji. [BNSF-22854] Fix: Message Log search filter now properly clears OR conditions when removed from the filter. [BNSF-21295] Fix: Online Search now properly works when HTTPS/SSL Access Only is enabled. [BNSF-21682] Fix: Deleting all displayed s from the Quarantine Summary Digest now properly deletes the quarantined s from the system. [BNSF-22742] Fix: Helpdesk users can now see headers when Helpdesk users are allowed by the administrator to view headers. [BNSF-22791] Fix: Downloading an attachment from the Outbound Quarantine no longer forces a logout. [BNSF-22817] Backup Enhancement: Added support for FTPS. [BNSF-2658] Enhancement: Added support for NTLMv2 on ADVANCED > Backup. [BNSF-22061] Enhancement: Improved reliability and compatibility with SMB targets for backup. [BNSF-22270] Fix: FTP PASV detection works for legacy restores. [BNSF-22678] Fix: resolved the following vulnerabilities: Medium severity vulnerability: non-persistent XSS, authenticated [BNSEC-4544 / BNSF-22332] Medium severity vulnerability: non-persistent XSS, authenticated [BNSEC-4528 / BNSF-22334] Medium severity vulnerability: authenticated, security control bypass [BNSEC-3246 / BNSF-21595] Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-4531 / BNSF-22333] Version Fix: Resolved issue with connecting to recipient servers when Enable SMTP over TLS/SSL is turned on (see the ADVANCED > Protocol page). Firmware Version 6.1 What's New in Version / 23

11 Categorization This feature gives administrators an additional way to decide what to do with various types of s from senders on the Barracuda Reputation Whitelist. These s are separated into different categories such as Transactional, Corporate and Marketing, each of which can have a different delivery action associated with it. Extended Malware Protection (Available on model 600 and higher) An additional layer of deep message scanning is available as Extended Malware Protection leveraging a third-party scanner. This feature is only available with a subscription. Contact your local Barracuda Networks Sales Reseller to purchase this subscription. Barracuda Outlook Add-in (Available on some models) Note: To run version of the Barracuda Spam Firewall firmware, you must update your Barracuda Outlook Add-in to version or later (see the USERS > User Features page). Fixed in Version 6.1 Version Fix: Resolved issue with connecting to recipient servers when Enable SMTP over TLS/SSL is turned on (see the ADVANCED > Protocol page). Version Fix: Resolved issue with rare cases of some charts on the BASIC > Status page not rendering correctly. [BNSF-22184] Fix: TLS 1.1 and 1.2 remain available when SSLv2 and SSLv3 are disabled. [BNSF-22876] Version Virtualization Feature: Added support for hourly billing virtual deployment in Microsoft Azure. [BNSF-22841] Version Fix: SSLv3 is disabled by default in the web interface to mitigate CVE (SSL POODLE). [BNSF-22788] Enhancement: New setting on ADVANCED > Protocol page to allow or disallow SSLv2 and SSLv3 for incoming SMTP connections. Setting to Yes provides for greater compatibility with older mail servers. Set to No to mitigate the recently reported SSL POODLE [CVE ] issue. [BNSF-22788] Fix: Resolved an issue in the encryption module that affected transmission of outbound messages over a TLS connection to some types of mail servers. [BNSF-22782] 11 / 23

12 Version Feature: Added support for Perfect Forward Secrecy in the following two scenarios: [BNSF-21503] When sending SMTP traffic over a TLS connection. To configure SMTP over TLS, see Enable SMTP over TLS/SSL on the ADVANCED > Protocol page. When using HTTPS access for the Barracuda Spam Firewall web interface. This requires using properly configured SSL certificates. See the ADVANCED > Secure Administration page to configure certificates. Barracuda Appliance Control Fix: From the Barracuda Appliance Control interface, clicking on a message in the Message Log properly renders the Message Details popup window and message information. [BNSF-22666] Fixed in Version Version : Enhancement: Improved concurrent processing performance of the Barracuda Spam Firewall 900. [BNSF-21877] Enhancement: Improved message body scanning. [BNSF-21891] Enhancement: Optimized performance of Barracuda Reputation Blocklist resource utilization, update, and lookup. [BNSF-22036] Enhancement: Header filters can now be applied to the Received header added by the Barracuda Spam Firewall. [BNSF-22101] Enhancement: Improved performance of recipient verification lookup when Local Database is not in use. [BNSF-22185] Enhancement: Improved resource utilization for scoring and attachment scanning. [BNSF-22266] Enhancement: Valid and Explicit Recipients no longer require the primary address to be listed twice on the ADVANCED > Explicit Users page (at the global level) or the USERS > Valid Recipients page (at the domain level). [BNSF-22357] Enhancement: Improved memory performance with attachment processing. [BNSF-22362] Fix: In clustered environments, Per-User Quarantine accounts now support special characters such as apostrophes, for example. [BNSF-16814] Fix: Archiving of encrypted messages handles TLS-based connections correctly. [BNSF-21150] Fix: Plain text footers are not duplicated if the footer is multi-line. [BNSF-21376] Fix: Resolved issue which could prevent statistics and Message Log from updating. [BNSF-21848] Fix: Quarantined messages with multi-byte characters in the headers can now be delivered. [BNSF-21964] Fix: PTR record analysis now properly handles Trusted Forwarders when a connection is made. [BNSF-22196] Fix: Resolved intermittent logging issue which, at times, used disk space on the firmware partition. [BNSF-22201] Fix: Now all messages from a whitelisted IP address in a single session are whitelisted. Previously only the first message was whitelisted. [BNSF-22205] Fix: Resolved long delay for display of BASIC > Status and ADVANCED > Energize Updates pages when offline updates are used. [BNSF-22258] Fix: Improved performance when Energize Updates are applied on a Barracuda Spam Firewall appliance under heavy System Load. [BNSF-22300, BNSF-22398] Fix: Outbound quarantine now works on the Barracuda Spam Firewall 100 and 200. [BNSF-22351] 12 / 23

13 Reporting Fix: Encryption Details report columns are correctly labeled. [BNSF-22095] Enhancement: Password values changed via the Support Tunnel are now masked from Syslog output. [BNSF-22018] Enhancement: Added Russian translations to NDR templates. [BNSF-22323] Enhancement: Included Icelandic translations for end user pages in the web interface. [BNSF-22358] Fix: Resolved case sensitivity issue when domain names are referenced in various settings. [BNSF-21358] Fix: Web interface no longer displays "Temporarily Unavailable" if an invalid character set attribute is detected. [BNSF-22180, BNSF-22240] Backup Fix: When restoring a backup to a new Barracuda Spam Firewall, upgraded to the most recent firmware, you are no longer required to do a Reload to prevent an "Invalid Domain" response. [BNSF-20703] Fix: Resolved issue which could prevent backup jobs from completing. [BNSF-21915] Fix: Backups can now be restored if the web browser is configured for Japanese character sets. [BNSF-22364] Barracuda Outlook Add-in Fix: The Barracuda Spam Firewall now returns error messages when appropriate from the Barracuda Outlook Add-in and Exchange Antivirus Add-in. [BNSF-22220] Fix: The Barracuda Outlook Add-in now properly detects the custom HTTPS port. [BNSF-22382] Fix: resolved the following vulnerabilities: Medium - High severity vulnerability: insufficient authorization. [BNSEC-4517 / BNSF-21063] Medium - High severity vulnerability: non-persistent XSS, unauthenticated. [BNSEC-1251 / BNSF-20597] Low severity vulnerability: unauthenticated, remotely exploitable, information disclosure. [BNSEC-3421 / BNSF-21649] Fixed in Version Version : Fix: Prevent the Spam Intent Category in Intent Analysis from defaulting to Off on upgrade. If a previous upgrade has occurred, please see the Intent Categories table for BASIC > Spam Checking page and verify the setting. [BNSF-21927] Version : Fix: Resolved the following vulnerability: Medium severity: Updated OpenSSL to address the issues reported in OpenSSL's security advisory dated [BNSEC-4499 / BNSF-22245] 13 / 23

14 Version : Enhancement: Improved DLP detection algorithms for birth dates. [BNSF-21396] Enhancement: Improved handling of unusually formatted s. [BNSF-21407] Fix: Messages were erroneously blocked by attachment type when whitelisted by the sender. [BNSF-20505] Fix: Messages with certain malformed headers now appear correctly in the message log. [BNSF-21305] Fix: Resolved issues with malformed headers from Trusted Forwarders. [BNSF-21897, BNSF-21906] Fix: Multiple messages in a single session are no longer encrypted after a message encrypted via the Outlook Add-in. [BNSF-21955] Fix: Per-User Scoring is no longer used when disabled. [BNSF-21800] Feature: Added ability to submit Categories for incorrect or uncategorized messages. [BNSF-21700] Feature: Added support for Europe/Busingen timezone. [BNSF-21988] Enhancement: Improved memory handling and performance of the after long periods of time. [BNSF-22142, BNSF-22155] Fix: Resolved sporadic issue where Basic > Status page would fail to load. [BNSF-21994, BNSF-22184] Fix: Deprecated timezones are not correctly updated when restored from a backup. [BNSF-21770, BNSF-21836] Fix: Messages can now be delivered from any box in a cluster. [BNSF-22083] Backup Fix: Resolved intermittent scenario in which Restore would fail if a previous backup or restore had failed. [BNSF-21257] Fix: Scheduled Backups Destination can now be changed from Cloud. [BNSF-21286] Cloud Control Fix: The Cloud Control status chart now shows the correct date for the status bars. [BNSF-21842] High severity vulnerability: unauthenticated, remotely exploitable, HTTP header injection [BNSEC-1168 / BNSF-20796] Fixed in Version Version : Virtualization Feature: Added support for virtual deployment in Amazon Web Services. [BNSF-21875] Fixed in Version Version : Enhancement: Improved processing of attachment filenames. [BNSF-21995] 14 / 23

15 Fix: Bulk editing the list of domains no longer omits certain domains. [BNSF-21742] Enhancement: Added support for localized web interface for Categorization. [BNSF-22029] Version : Feature: Categorization. Messages from Barracuda-verified senders (including those on the Barracuda Reputation Whitelist) are categorized to allow the administrator another way to determine what action to take on various types of s. Actions for each Category may be configured from the BLOCK/ACCEPT > IP Reputation page. [BNSF-21615] Feature: An additional layer of malware detection has been added with the Extended Malware feature. [BNSF-21662] Enhancement: Per-Domain whitelisting and blocklisting of IP addresses now honors Trusted Forwarder status. [BNSF-13907] Fix: Improved processing of messages with very long URLs. [BNSF-21779] Fix: Improved handling of Received headers containing missing IP addresses. [BNSF-21793] Feature: The Message Log now contains the IP address of the destination server. [BNSF-21404] Feature: The Message Debug Identifier has been added to the Queue Managment for easier tracing of messages. [BNSF-21405] Fix: Changing the character set in the Message Viewer now shows the message rather than the login page. [BNSF-21348] Fix: APIs now properly account for colons in regex values. [BNSF-21522] Fix: Adding valid recipients is now logged to the GUI syslog. [BNSF-21536] Fix: Explicit users are not supported by the list_valid_recipient_aliases API call. [BNSF-21768] Reporting Fix: LDAP Failure notification report now accounts for case changes in domains. [BNSF-17538] Fix: Resolved the following vulnerabilities: High severity: Authentication bypass [BNSEC-3188 / BNSF-21585] Medium - High severity: Requires authentication; security control bypass [BNSEC-3208 / BNSF-21593] Medium severity: Requires authentication; denial of service [BNSEC-3297 / BNSF-21598] Medium severity: Unauthenticated; information disclosure [BNSEC-3259 / BNSF-21596] Medium severity: Requires authentication; security control bypass [BNSEC-3198 / BNSF-21591] Low severity: Unauthenticated; remotely exploitable; information disclosure [BNSEC-3421 / BNSF-21649] Low severity: Non-persistent XSS; requires authentication; remotely exploitable [BNSEC-3287 / BNSF-21597] Firmware Version 6.0 What's New in Version 6.0 Updated Time Zone settings per new 2013 DST settings. - The following time zones have been converted 15 / 23

16 (see the BASIC > Administration page): AQ CA Old Time Zone Antarctica/South Pole Amundsen-Scott Station, South Pole America/Montreal Eastern Time - Quebec - most locations US America/Shiprock Mountain Time; Navajo New Time Zone Antarctica/McMurdo Toronto America/Denver America/Shiprock Cloud Services Cloud Backup - New option to back up to the Barracuda Cloud with the same backup features as always, configurable from the ADVANCED > Backup page. Use your Barracuda Customer Account credentials to connect. If you don't have an account, you can create one following instructions in this Barracuda TechLibrary article: Create a Barracuda Cloud Control Account, or see the ADVANCED > Cloud Control page. Cloud Protection Layer (CPL) - Now provides an integrated Message Log together with messages processed by the Barracuda Spam Firewall. Encryption More reports detailing number of encrypted s sent, number of encrypted s opened by recipients, policies that triggered encryption action and number of recalled messages. Ability to archive encrypted threads to a specified Barracuda Message Archiver. Configured on the BASIC > Administration page, this feature will archive all encrypted correspondence, including encrypted replies, for all domains that have been validated on the Barracuda Spam Firewall. Message Privacy New Governance, Risk Management and Compliance (GRC) role. The GRC role is used as a way to provide governance, risk management and compliance to content. The GRC only has access to Outbound Quarantine logs via the web interface and has the job of reviewing the messages in the log, determining which ones should be delivered or rejected based on policy. The administrator can enable or disable the GRC account at any time. Configure on the BASIC > Administration page. Message Log Privacy - To protect privacy, you can enable the Secondary Authorization feature to require a password before the Admin, Domain Admin or Helpdesk roles can view entries or message contents across the system (including the global Message Log, per-domain Message Logs, queue management, outbound quarantine and quarantine inboxes). Configure on the BASIC > Administration page. SSL Certificates SSL Certificate generation and installation process improvement. Reporting The Top Count setting upper limit, which is the maximum number of rows returned in a report (e.g. Top 10 Viruses), has been reduced to 50. See the BASIC > Reports page. Add-ins The Barracuda Outlook Add-in supports Outlook 2007, Outlook 2010 and Support for Outlook XP and 2003 is no longer available. Note: If you are running version of the Barracuda Spam Firewall firmware, you must upgrade 16 / 23

17 your Barracuda Outlook Add-in to version 6.0.x or later (see the USERS > User Features page). The Lotus Notes Plugin is no longer supported, starting in Firmware Release 6.0. Fixed in Version Version : Enhancement: Multi-level intent analysis consistently handles timeouts. [BNSF-21731] Fix: PTR record analysis now honors Trusted Forwarder status; i.e. IP addresses are checked until and including the first IP that is not a trusted forwarder. [BNSF-21559] Updated Time Zone settings per new 2013 DST settings. - The following time zones have been converted (see the BASIC > Administration page): AQ CA Old Time Zone Antarctica/South Pole Amundsen-Scott Station, South Pole America/Montreal Eastern Time - Quebec - most locations US America/Shiprock Mountain Time; Navajo New Time Zone Antarctica/McMurdo Toronto America/Denver America/Shiprock Fix: Converted time zones per new 2013 DST settings. [BNSF-21277]. The following time zones have been converted: Antarctica/South Pole, Amundsen-Scott Station, South Pole. New Time Zone: Antarctica/McMurdo America/Montreal Eastern Time - Quebec - most locations. New Time Zone: Toronto America/Shiprock Mountain Time, Navajo. New Time Zone: America/Denver America/Shiprock Fix: Bulk editing the list of domains no longer omits certain domains. [BNSF-21742]. Version : Enhancement: Improved Sender Policy Framework (SPF) algorithms for increased accuracy. [BNSF-18114, BNSF-20387, BNSF-20523, BNSF-20558, BNSF-20883, BNSF-21068, BNSF-21118] Enhancement: Hard SPF detection failures are now enabled by default. [BNSF-17929] Enhancement: Inbound mail from a Trusted Relay source is now subject to Recipient Verification (if configured) to prevent sending to an invalid user for the domain. [BNSF-20482]. Enhancement: Mail Journaling can now be configured to only journal Quarantined messages on delivery. [BNSF-19388] Enhancement: Multi-level intent analysis performs better with slow web servers. [BNSF-20003] Enhancement: Improved disk space management. [BNSF-20543, BNSF-21026, BNSF-21339, BNSF-21308] Enhancement: Improved recovery of services that are in an inconsistent state. [BNSF-20656, BNSF-20802, BNSF-20898] Enhancement: Improved real-time detection for multilevel intent analysis. [BNSF-20733] Enhancement: Improved attachment detection and filtering. [BNSF-19488] Enhancement: Optimized analysis of messages with compressed files (.tgz,.rar,.zip). [BNSF-21147] Enhancement: Improved DLP detection algorithms for message contents and attachments, including those for identifying dates, credit card information, and data in Excel files. [BNSF-21094, BNSF-21354, BNSF-20736, BNSF-21272] Enhancement: Added default German NDR texts. [BNSF-21058] Fix: The Create Password can now be sent to users with spaces in the UID. [BNSF-14773] Fix: Block Sender Verify is no longer disabled when Block Empty Sender is enabled. [BNSF-14977] 17 / 23

18 Fix: PTR record analysis is now performed when mail is received from a Trusted Forwarder. [BNSF-19257] Fix: All messages in a single SMTP session are now whitelisted when sent from a whitelisted IP address. [BNSF-19779, BNSF-20562] Fix: Improved whitelist setting interactions between a primary account and its LDAP or Valid Recipient alias. [BNSF-20592, BNSF-21453] Fix: Improved detection of UPS tracking numbers previously mis-identified as Social Numbers. [BNSF-19577] Fix: Outbound Quarantine messages could be delivered to the Inbound Quarantine address with the Inbound Quarantine tag when using Global Quarantine. [BNSF-20032] Fix: Resolved issue processing messages with headers including ports with IP addresses. [BNSF-20524] Fix: Messages blocked due to file type now report as banned rather than accepted. [BNSF-20525] Fix: Whitelist properly takes precedence over quarantine rules that are based on Reg settings. [BNSF-20934] Fix: Resolved issue in which, in rare circumstances, per-user quarantine files could be written as zero bytes when in a clustered environment. [BNSF-20991] Fix: Spam analysis conditions which could prevent unusual messages from being processed. [BNSF-20994, BNSF-20997] Enhancement: Improved web interface performance when displaying a large number of users or domains. [BNSF-18336] Enhancement: Reduced time to reload system configurations when there are a large number of domains. [BNSF-20145] Enhancement: Single Sign-On now honors Valid Recipient alias linking. [BNSF-19754] Enhancement: Improved support for Internet Explorer 9 and 10 and Firefox 23 and Safari. [BNSF-19525, BNSF-19837, BNSF-19978, BNSF-20259, BNSF-21324, BNSF-21244] Enhancement: Manual Backups now show the correct status without requiring a manual refresh. [BNSF-19836] Enhancement: Improved detection of malformed character sets when displaying unicode messages. [BNSF-20503] Enhancement: Added 3 new methods to API to list, add and delete Valid Recipients. [BNSF-20605] Enhancement: The SMTP port is now excluded from synchronization across systems in a cluster. [BNSF-20561] Enhancement: Option for the Helpdesk role to view message headers (configured on the BASIC > Administration page). [BNSF-21204] Enhancement: Web Syslog contents now include the year, usernames, troubleshooting commands, and configuration changes made by Barracuda Technical Support. May require a restart of your syslog clients in order to receive the additional data. [BNSF-20990, BNSF-21206, BNSF-21207, BNSF-21431, BNSF-21504] Enhancement: Updated translations. [BNSF-19999, BNSF-20000, BNSF-20217, BNSF-20325, BNSF-20862, BNSF-21123, BNSF-21418] Fix: Time zone updates for Israel per new 2013 DST settings. [BNSF-21277] Fix: Journaling to the Barracuda Message Archiver now accepts an IP address. [BNSF-13505] Fix: Corrected handling of unicode characters in user whitelists. [BNSF-13751] Fix: Reduced time to log into the web interface when the update server is not reachable. [BNSF-18333] Fix: Improved handling of special characters such as '$' in the LDAP password for Single Sign-On users. [BNSF-19396] Fix: All users are now able to view quarantine messages when a device is removed from a cluster. [BNSF-19567] Fix: Viewing message bodies in a clustered environment no longer results in an error for some messages. [BNSF-21449] Fix: Searching the outbound quarantine from a user's account no longer forces a logout. [BNSF-19775] Fix: Repaired erroneous validation of the Message Log's Time Range filters. [BNSF-20218] Fix: Repaired Time Range searches of Outbound messages in the Message Log. [BNSF-21273] 18 / 23

19 Fix: Message Log filter errors are now properly encoded. [BNSF-19968] Fix: The Barracuda Spam & Virus Firewall Vx now displays the correct expiration date for Energize Updates subscriptions. [BNSF-20076] Fix: The SNMP agent starts correctly on the Barracuda Spam & Virus Firewall Vx. [BNSF-19478] Fix: Graceful shutdown via the power button now works in all cases. [BNSF-20706] Fix: The "ping" command works as expected with IPv6. [BNSF-20726] Fix: Performance statistics are now displayed when viewing the BASIC > Status page in the web interface page for the Chinese locale. [BNSF-21156] Backup Enhancement: FTP backups now supports both active and passive modes. [BNSF-7762] Fix: SMB shares are now always unmounted after a backup. [BNSF-19249] Fix: Repaired display of backup files available via FTP. [BNSF-21332] Cloud Control Feature: The ADVANCED > Queue Management page is now available from Barracuda Cloud Control. [BNSF-19534] Fix: Errors restoring backups are now propagated to the top level of the Barracuda Cloud Control tree. [BNSF-19534] Fix: Repaired of links for running/completed tasks. [BNSF-20186, BNSF-20194] Barracuda Outlook Add-in This firmware version requires update of your Barracuda Outlook Add-in (see the USERS > User Features page) to version or later. Enhancement: Classification buttons are now available for public folders. [BNSF-20670] Enhancement: The Alternate URL was removed from the ADM configuration in favor of auto-provisioning. [BNSF-20670] Fix: The property page now shows correctly in Outlook [BNSF-21300] Fix: The Add-in no longer fails to start if a localization is unavailable. [BNSF-21492] Exchange Antivirus Enhancement: Improved handling of corrupted virus definition updates. [BNSF-20648] Fix: The Exchange Antivirus Agent now starts for all localized versions of Microsoft Exchange. [BNSF-19315] Fix: Resolved the following vulnerabilities: High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-2590] High severity: Authentication bypass. [BNSEC-2625] High severity: Information disclosure. [BNSEC-2816] Medium severity: Unauthenticated; information disclosure. [BNSEC-1658] Medium severity: Information disclosure. [BNSEC-2814] Low - Medium severity: Persistent XSS; unauthenticated; authentication bypass. [BNSEC-2563] Low severity: Persistent XSS; requires authentication; remotely exploitable. [BNSEC-220] Low severity: Non-persistent XSS; requires authentication; remotely exploitable. [BNSEC-1052] Fixed in Version / 23

20 Version : Enhancement: Improved real-time detection of malformed attachments. [BNSF-21142]. Fix: Resolved the following vulnerabilities: High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-1550 / BNSF-20929] High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-1650 / BNSF-20943] Medium - High severity: Non-persistent XSS; unauthenticated [BNSEC-1251 / BNSF-20597] Low - High severity: Persistent XSS; requires authentication. [BNSEC-391 / BNSF-19756] Low - High severity: Non-persistent XSS; requires authentication [BNSEC-1068 / BNSF-20228] Low - High severity: Requires authentication; information disclosure. [BNSEC-1706 / BNSF-20955] Medium severity: Information disclosure. [BNSEC-107 / BNSF-17460] Low - Medium severity: Unauthenticated; information disclosure. [BNSEC-1746 / BNSF-20978] Low severity: Persistent XSS; requires authentication. [BNSEC-220 / BNSF-18321] Low severity: Persistent XSS; requires authentication. [BNSEC-1702 / BNSF-20953] Low severity: Non-persistent XSS; requires authentication. [BNSEC-1152 / BNSF-20394] Low severity: Requires authentication; information disclosure. [BNSEC-1160 / BNSF-20396] Low severity: [BNSEC-1383 / BNSF-20817] Version : Enhancement: Access to Upgraded Barracuda Real Time Systems (BRTS). The Upgraded BRTS is significantly faster and leverages additional lookups and faster detection operations. with this BRTS Upgrade, the Barracuda Spam Firewall can adapt to spam faster and more accurately. [BNSF-20859] Barracuda Outlook Add-in This firmware version requires upgrade of your Barracuda Outlook Add-in (see the USERS > User Features page) to version or later. Fix: Firmware Upgrades no longer fail to show progress in some cases. [BNSF-20790] Version : Fix: The Search button returns the correct result set the first time it is clicked when using the 'Time' search filter. [BNSF-20591] Fix: Time zone Upgrades for Chile and Paraguay per new 2013 DST settings. [BNSF-20522] Version Enhancement: Per-User Allow and Block lists now check Envelope From and Header From. [BNSF-17727] Fix: Reflective cross-site scripting issue in ADVANCED > Troubleshooting page. [BNSEC-1088] 20 / 23

21 Version Fix: Resolved issue with potential SSH access to unit when not deployed behind a firewall. To completely disable remote support functionality, contact Barracuda Networks Technical Support. Reported by Stefan Viehck, SEC Consult Vulnerability Lab ( [BNSEC-767] Version : Backup Feature: Improved backup user interface. [BNSF-19325] Enhancement: Backup files are deleted upon successful completion of a backup. [BNSF-18628] Enhancement: Restoring a backup no longer restores Advanced Network information. [BNSF-18957] Enhancement: Configuration backups are now encrypted. [BNSF-19496] Fix: Backup does not fail if there are special characters in the login name or password. [BNSF-14472] Fix: SMB mounts are now automatically dismounted after a backup. [BNSF-14625] Fix: Restoring a backup configuration now immediately processes mail for domains without requiring a Reload. [BNSF-19350] Enhancement: Disabling SMTP Over TLS at the system level no longer rejects domains which are required by the Domain-level Force TLS settings. [BNSF-17474] Enhancement: Spoof Protection now looks at headers in addition to the envelope content. [BNSF-17679, BNSF-15997] Enhancement: Whitelisted messages are now flagged as whitelisted if Trusted Forwarders are configured on the BASIC > IP Configuration page. [BNSF-17943] Enhancement: Active directory default LDAP filter has been modified to reduce AD CPU load. [BNSF-17993] Enhancement: Improved HIPAA medical term detection in content. [BNSF-18390] Enhancement: Malicious URL scanning now correctly scans all HTML attachments. [BNSF-18564] Enhancement: TNEF files are now scanned for viruses. [BNSF-18921] Enhancement: Added the ability to exempt addresses and domains from encryption from the BASIC > Administration page. [BNSF-18949] Enhancement: Improved recipient verification performance if no Explicit Users are defined. [BNSF-19048] Enhancement: Improved false positive detection in XLSX files for DLP settings. [BNSF-18738] Enhancement: TLS can now be required for all incoming domains from the Domain-level ADVANCED > Protocol page. [BNSF-19738] Fix: Duplicate X-Barracuda-IPDD header lines are no longer added. [BNSF-15751] Fix: Duplicate X-Barracuda-Registry header lines are no longer added. [BNSF-19829] Fix: The Queue Management timestamp now matches the message log timestamp in all cases. [BNSF-19149] Fix: Improved processing performance for large multipart text s. [BNSF-19644] Fix: Attachment filter now correctly detects video file types with altered extensions. [BNSF-18977] Fix: LDAP routing will now enable alias rewriting if username/password are not set. [BNSF-19114] Fix: URL inspection now correctly handles UTF-8 characters. [BNSF-19575] Fix: Improved process monitoring of front end scanning engine. [BNSF-19675] Fix: Appliance remains offline after a firmware upgrade if it is already in offline mode. [BNSF-18941, BNSF-19705] Fix: Rate control settings for POP accounts are now applied correctly. [BNSF-19745] Cloud Control Enhancement: Added Users and Advanced pages to Barracuda Cloud Control administration. 21 / 23