Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances

Security, application delivery and data protection solutions provider Barracuda Networks is warning customers about a zero-day vulnerability that has been exploited to hack the company’s  Email Security Gateway (ESG) appliances.

The zero-day, tracked as CVE-2023-2868, was addressed with a patch (BNSF-36456) that has been automatically applied to all impacted appliances.

An entry in NIST’s vulnerability database describes CVE-2023-2868 as a remote command injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006 of the Barracuda ESG appliance.

“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the advisory explains.

Barracuda said the zero-day was discovered on May 19 and a patch was rolled out to all ESG appliances the next day. A second fix was released on May 21 as part of what the company described as its ‘containment strategy’.

“The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability,” the company noted.

Barracuda’s investigation, which is ongoing, showed that “the vulnerability resulted in unauthorized access to a subset of email gateway appliances”.

Impacted users have been notified through the ESG user interface and provided with instructions on the actions they need to take. 

Barracuda has promised to share updates as its investigation progresses on its status page. In addition, impacted customers are being directly contacted.

“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take,” Barracuda recommended.

Only a few vulnerabilities affecting Barracuda Networks products were publicly disclosed in recent years and there do not appear to be any previous reports of malicious exploitation. 

On the other hand, threat actors have been known to target appliances made by F5, Cisco, Fortinet, SonicWall and Sophos.

Related: QNAP Appliances Targeted in New DeadBolt, eCh0raix Ransomware Campaigns

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild