Hacker attacks & exploits

Barracuda Email Security Gateway Appliance Zero-Day Vulnerability

On 19 May 2023, Barracuda identified a zero-day vulnerability allowing it to breach the company's Email Security Gateway (ESG) appliances. Tracked as CVE-2023-2868, this remote code injection vulnerability affects versions 5.1.3.001 through 9.2.0.006 of ESG and has been reported to be actively exploited.

Mihail Lupan — May 29, 2023

Barracuda Email Security Gateway Appliance Zero-Day Vulnerability

Security Flaw in Email Security Gateway

The California-based company investigation has revealed that the flaw is rooted in a component that screens the attachments of incoming emails and that it can lead to unauthorized access to a subset of email gateway appliances. More in detail, the vulnerability is due to a failure to completely sanitize the processing of .tar files (tape archives). The names of the files contained within the .tar archive file supplied by the user are not correctly sanitized. Therefore, an attacker could format these file names to allow him to remotely execute a system command through Perl's qx operator with the same privileges granted to the Email Security Gateway product.

Patches Deployed & Remedial Actions

Barracuda has informed that security patch BNSF-36456 has been deployed across all ESG devices worldwide just a day later the finding and that as part of their containment strategy, a second patch was applied to all ESG appliances on 21 May 2023. Moreover, a list of remedial actions has been notified to all affected users via the ESG user interface.

Scope of the Attack & Customer Advisory

With 200,000 customers worldwide, the company has not yet disclosed the scale of the attack but has confirmed that no other Barracuda products are subject to this vulnerability. Since the data at hand are limited to the ESG product, customers are advised to review their environments and determine if additional actions are required to mitigate the issue.