Barracuda email security appliances hacked via zero-day vulnerability (CVE-2023-2868)
A vulnerability (CVE-2023-2868) in Barracuda Networks’ Email Security Gateway (ESG) appliances has been exploited by attackers, the company has warned.
CVE-2023-2868 is a critical remote command injection vulnerability affecting only physical Barracuda Email Security Gateway appliances, versions 5.1.3.001 – 9.2.0.006.
“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). [It] stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” says the official CVE listing.
The company identified the vulnerability on May 19, 2023, and pushed a patch to all ESG appliances worldwide on May 20, 2023.
“As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers,” the company said, but did not explain what the second patch does.
Mitigation and remediation
Barracuda has promised to share details on what actions they are taking and to provide actionable steps for customers to take.
Reddit users on the sysadmin subreddit have lamented the vagueness of the public alert and one of them shared the email sent by Barracuda’s support team, in which it advised customers to rotate any credentials connected to the ESG appliance: LDAP, AD, Barracuda Cloud Control, FTP and SMB credentials, as well as any private TLS certificates.
“Out of abundance of caution, we would like to get you set up with a new, unaffected environment,” the company said. “We will do a replacement for the affected device and also till you get the new device we suggest you to spin up a virtual appliance or we can go with the Cloud version with is Email gateway defense.”
Barracuda says their investigation was limited to the ESG product, so it’s on customers to review their environments and determine any additional actions they want to take.
We have asked the company for more details on when they first discovered the attacks, how many customers have been affected, and whether they had any information about the attackers’ susbsequent actions. We’ll update this item if we get answers.
UPDATE (May 30, 2023, 01:14 p.m. ET):
Barracuda has provided an update, IoCs and YARA rules for threat hunters. They say that the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.”