Vulnerable ESG Appliances Must be Replaced, Urges Barracuda

Enterprise-level security solution provider Barracuda has strongly recommended that customers replace their Email Security Gateway (ESG) systems, regardless of the version of patches they have installed. 

This advisory responds to observed attacks targeting a previously patched zero-day vulnerability. The flaw, CVE-2023-2868, was exploited as early as October 2022 but was remotely patched on May 20, 2023. Barracuda cut off the attackers’ access to the compromised appliances by deploying a dedicated script the following day.

Rapid7 incident response teams are investigating exploitation of Barracuda ESG appliances dating back to at least November 2022. https://t.co/pfk3X1twZa

— Caitlin Condon (@catc0n) June 8, 2023

Originally, Barracuda’s advisory, issued on June 1, stated that the vulnerability was discovered in a module responsible for screening email attachments. However, an updated advisory on June 6 now recommends the complete replacement of ESG systems.

What was discovered?

Barracuda determined that unauthorized access was gained by exploiting the flaw on a specific subset of ESG appliances. As a result, malware was discovered on some of these appliances, enabling persistent backdoor access. Incidents of data exfiltration have also been detected on specific affected devices.

Security firm Rapid7’s incident response teams also investigated the ESG exploitation bug and published their findings in a blog post on Thursday. They noted,

“The pivot from patch to total replacement of affected devices is quite surprising and suggests that the deployed malware somehow achieves a level of persistence that even wiping the device wouldn’t eliminate attacker access.”

Source: NIST

“A vulnerability has been discovered in the Barracuda Email Security Gateway (only affecting the appliance form factor) with versions 5.1.3.001-9.2.0.006. This vulnerability involves a remote command injection issue caused by inadequate sanitization of .tar files (tape archives) during processing. The exposure occurs due to insufficient validation of user-supplied .tar file names within the library.”

What’s the solution, if any?

According to John Bambenek, the principal threat hunter at Netenrich, customers using virtual appliances will have a relatively straightforward solution. In such cases, provisioning and configuring a new virtual appliance and removing the old one should suffice. However, those using hardware appliances will face a more challenging task as they must acquire a new device to replace the compromised one.

According to NIST: “Exploiting this flaw, a remote attacker can manipulate the file names in a specific way to execute system commands through Perl’s qx operator, using the privileges of the Email Security Gateway product. The issue has been addressed with the BNSF-36456 patch, which was automatically applied to all customer appliances.”

These updates from Barracuda regarding CVE-2023-2868 follow the revelation by Quarks Lab a few months ago that two previously identified vulnerabilities in the TPM 2.0 library could potentially affect billions of Internet of Things (IoT) devices.

Concluding remarks

Vulnerabilities must be patched in time to prevent damage. It is also imperative to know about your system’s weak points. The targeted security team must be employed instantly to avoid zero-day attacks. support@barracuda.com is the address you must contact for further assistance.