[Editor’s Note: This article has been updated to reflect Barracuda Networks’ official statement.]
Barracuda Networks is urging organizations with Email Security Gateway appliances impacted by a remote command injection bug in the devices to replace them, even if they were patched.
The company’s recommendation comes after Barracuda was first alerted to anomalous traffic coming from Email Security Gateway (ESG) appliances on May 18, which prompted the company to begin an investigation with the help of cybersecurity firm Mandiant.
This week, Barracuda updated its notice, urging customers with impacted ESG appliances to replace them regardless of their patch version level.
“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company says in its advisory.
According to the advisory, Barracuda identified a remote command injection vulnerability in their ESG appliance one day after discovering the “anomalous traffic” and engaging Mandiant. A patch was released a day after that on May 20, but the patch is apparently not enough to prevent compromise of the affected devices.
The company is also releasing a “series of security patches” to all appliances.
Exploitation for 10 months
Alarmingly, Barracuda and other cybersecurity firms say exploitation of these ESG appliances has been discovered to date back to fall 2022, specifically October 2022.
According to Barracuda, the vulnerability existed in a module which initially screens attachments of incoming emails. The bug has been leveraged to obtain unauthorized access to a subset of ESG appliances, and malware was identified on a subset of appliances to give attackers a backdoor.
Evidence of data exfiltration was also identified, the company says.
The company notified users with impacted appliances to take action, but “additional customers may be identified in the course of the investigation,” the firm says.
About the vulnerability and malware
According to Barracuda, the vulnerability, CVE-2023-2868, stems from “incomplete input validation of user supplied .tar files as it pertains to the names of files contained within the archive.”
This allows a remote attacker to format file names in a particular manner that would result in “remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the company says.
Barracuda also identified three malware strains that make the backdoor possible.
Barracuda is recommending that organizations with ESG appliances ensure that the devices are receiving and applying updates and security patches, but the company is of course also recommending that organizations discontinue the use of compromised ESG appliances and contact the company’s support to obtain a new ESG virtual or hardware appliances.
In addition, organizations should rotate any applicable credentials connected to the ESG appliance, including:
- Any connected LDAP/AD
- Barracuda Cloud Control
- FTP Server
- Any private TLS certificates
Barracuda’s official statement
The company’s official statement reads as such:
The latest information related to the Barracuda’s Email Security Gateway (ESG) vulnerability and incident has been published on Barracuda’s Trust Center (https://www.barracuda.com/company/legal). The product CVE is published here: https://nvd.nist.gov/vuln/detail/CVE-2023-2868.
An ESG product vulnerability allowed a threat actor to gain access to and install malware on a small subset of ESG appliances. On May 20, 2023, Barracuda deployed a patch to ESG appliances to remediate the vulnerability.
Not all ESG appliances were compromised, and no other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability.
As of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability. Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.
We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident.
Barracuda’s guidance remains consistent for customers. Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance. If a customer received the User Interface notification or has been contacted by a Barracuda Technical Support Representative, the customer should contact [email protected] to replace the ESG appliance. Barracuda is providing the replacement product to impacted customer at no cost.
If you have questions on the vulnerability or incident, please contact [email protected]. Please note that our investigation is ongoing, and we are only sharing verified information.
Barracuda has engaged and continues to work closely with Mandiant, leading global cyber security experts, in this ongoing investigation.
We will provide updates as we have more information to share.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!