A zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances has been targeted by hackers, resulting in some customers’ appliances being compromised. The vulnerability was identified by Barracuda on May 19, 2023, and patches were rapidly developed to fix the issue, which were released on May 20 and May 21.
Barracuda said only the vulnerability was only exploited on a subset of ESG appliances, and not all users have been affected. Notifications have been sent to users via the ESG user interface if their appliances have been hacked, and they have been provided with the steps that need to be taken. Barracuda’s investigation was limited to the appliances themselves and it is possible that the threat actor behind the attacks may have been able to move laterally and gain access to other parts of their networks, so Barracuda has recommended the affected organizations investigate to determine if the compromise was more extensive and other parts of their networks have been compromised. Barracuda said that if customers have not received the notification through the user interface it means no compromise was detected and they will not need to take any actions.
The vulnerability was in the email attachment scanning module of Barracuda’s Email Security Gateway, and was a critical command injection bug due to improper input validation. The flaw was due to the failure to comprehensively sanitize the processing of .tar tape archives. That allowed a remote attacker to specifically format file names in a way that would allow the remote execution of a system command through Perl’s qx operator with the privileges of the Email Security Gateway product. The vulnerability was assigned the common vulnerabilities and exposures code of CVE-2023-2868 and was assigned a CVSS severity score of 9.4.
Barracuda has also issued an update for its Email Gateway Defense (EGD) appliances to address a login issue and a new spam scoring rule, the old version of which was causing customer emails to be blocked.