This advisory is for organizations that use Barracuda Email Security Gateway for spam filtering. If your organization does not use this device, this notification may be discarded. Critical Insight is reviewing our detections for activity related to this vulnerability and will continue to refine and develop new detections.
Barracuda has released a statement advising that organizations who use the Barracuda Email Security Gateway hardware appliance, and have previously been compromised by this vulnerability, should stop using that appliance and contact them.
Summary
On 5/24/23, a CVE was created for a remote command injection vulnerability found on the Barracuda Email Security Gateway (ESG) that effects versions 5.1.3.001 through 9.2.0.006 due to a failure to sanitize incoming .tar files. Attackers may be able to leverage this vulnerability by formatting file names that could result in remotely executing system commands through Perl’s qx operator with the privileges of the Email Security Gateway product. Barracuda pushed patches to customer appliances on 5/20/23 and an additional patch on 5/21/23 that addresses this vulnerability. Barracuda notes that the earliest evidence they have of exploitation using this vulnerability is October of 2022.
No other Barracuda products, including SaaS email security services, were identified to have been affected by this vulnerability.
CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation Vulnerability CVSSv3: 9.8https://nvd.nist.gov/vuln/detail/CVE-2023-2868
Barracuda has provided key Indicators of Compromise (IOC) to allow users of this appliance to review their environment for signs of attacker activity.
On 6/6/23 Barracuda released an update advising that any clients who had detected a compromise on their ESG application due to the CVE 2023-2868 vulnerability, should immediately replace the hardware, regardless of the current patch version level. They are urging organizations who need assistance validating appliance patch levels, or who identify a compromised device that needs replacing, to contact them at support@barracuda.com.
From Barracuda: “Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.”
IOCs and recent updates: https://www.barracuda.com/company/legal/esg-vulnerability
Additional Mitigations
Users of the Barracuda ESG appliance who confirm a compromise of the ESG appliance should:
- Discontinue use of the compromised ESG device
- Rotate credentials connected to the ESG applicance:
