Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances

Barracuda Networks is warning customers about CVE-2023-2868, a zero-day exploited to hack some Email Security Gateway (ESG) appliances.

Barracuda zero day exploited by China

Security, application delivery and data protection solutions provider Barracuda Networks is warning customers about a zero-day vulnerability that has been exploited to hack the company’s  Email Security Gateway (ESG) appliances.

The zero-day, tracked as CVE-2023-2868, was addressed with a patch (BNSF-36456) that has been automatically applied to all impacted appliances.

An entry in NIST’s vulnerability database describes CVE-2023-2868 as a remote command injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006 of the Barracuda ESG appliance.

“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the advisory explains.

Barracuda said the zero-day was discovered on May 19 and a patch was rolled out to all ESG appliances the next day. A second fix was released on May 21 as part of what the company described as its ‘containment strategy’.

“The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability,” the company noted.

Barracuda’s investigation, which is ongoing, showed that “the vulnerability resulted in unauthorized access to a subset of email gateway appliances”.

Impacted users have been notified through the ESG user interface and provided with instructions on the actions they need to take. 

Advertisement. Scroll to continue reading.

Barracuda has promised to share updates as its investigation progresses on its status page. In addition, impacted customers are being directly contacted.

“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take,” Barracuda recommended.

Only a few vulnerabilities affecting Barracuda Networks products were publicly disclosed in recent years and there do not appear to be any previous reports of malicious exploitation. 

On the other hand, threat actors have been known to target appliances made by F5, Cisco, Fortinet, SonicWall and Sophos.

Related: QNAP Appliances Targeted in New DeadBolt, eCh0raix Ransomware Campaigns

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

Chris Burger has been named Chief Information Security Officer at F5.

Bedrock Security has appointed George Gerchow as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.