Barracuda Warns of Zero-Day Exploited to Breach Email Security Gateway Appliances

Cyber Security Threat Summary:
CISA has added a recently patched zero-day zero vulnerability to its know catalog of actively exploited flaws, urging federal agencies to apply the fixes by June 16, 2023. Tracked as CVE-2023-2868, the flaw is related to a remote code injection impacting Barracuda Email Security Gateway (ESG) appliances, versions 5.1.3.001 through 9.2.0.006.

According to NIST's national vulnerability database, “the vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product.”

The flaw was identified by Barracuda on May 19, 2023, leading the company to deploy a patch across all ESG devices worldwide a day later. In a further investigation of the issue, Barracuda identified that the vulnerability was leveraged by threat actors to gain unauthorized access to a subset of its email gateway appliances. As such the company rolled out a second fix on May 21 as part of its containment strategy.

“The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability,” stated Barracuda in a recent advisory.

Security Officer Comments:
The attacks in the wild have yet to be attributed to a known threat group. As of writing Barracuda has not disclosed how many of its appliances were impacted. Barracuda did note that the users of the affected appliances were notified via the ESG user interface of actions to take, with the company further reaching out separately to these individuals.

Suggested Correction(s):
“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take” (Barracuda, 2023).

Link(s):
https://thehackernews.com/2023/05/barracuda-warns-of-zero-day-exploited.html https://status.barracuda.com/incidents/34kx82j5n4q9