Organizations turn to security vendors for the necessary security solutions to protect them from cyberattacks. This is also why attackers target security and backup products. One example is the ongoing investigation into an exploitable vulnerability in Barracuda Network’s popular Email Security Gateway (ESG) appliance. On June 6, 2023, the company put out their latest product incident response and urged all its ESG customers to immediately decommission and replace all impacted ESG physical appliances, irrespective of patch level. The Barracuda Email Security Gateway is an email security solution that manages and filters all inbound and outbound email traffic to protect organizations from threats and data leaks.
What is CVE-2023-2868?
The exploitation involves a zero-day flaw that was identified by Barracuda on May 19, 2023. Known as CVE-2023-2868, the flaw represents a command injection vulnerability that affects the validation process of email attachments and allows TAR files through. The vulnerability applies to versions 5.1.3.001 – 9.2.0.006 of the Barracuda Email Security Gateway. The company released two separate patches to address the issue on May 20 and May 21. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-2868 to its exploitable catalog and warned federal agencies and the public about the seriousness of the vulnerability. A company spokesperson stated that only about 5% of active ESG appliances have been exploited thus far.
While the patches do address the issue, the investigation showed that hackers could potentially make deeper changes to device firmware because of the bug. Due to the serious nature of this potential threat, Barracuda released the following statement:
“If you have not replaced your appliance after receiving notice in your UI, contact support now (firstname.lastname@example.org). Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,”
Customers with a virtual appliance can simply download and provision a fresh virtual appliance and delete the old one.
According to an investigation conducted by the cybersecurity company, Mandiant, the vulnerability has been exploited since October of 2022, a full seven months prior to its initial discovery. A suspected Chinese threat actor known as UNC 4841 has been identified as one of the prime culprits, taking advantage of the bug. On October 10, 2022, UNC4841 began sending emails to victim organizations that contained malicious TAR file attachments designed to exploit CVE0292302868 and gain them initial access to the appliances themselves. The group primarily chose its targets based on the priorities of the Peoples Republic of China. Many of the targeted groups and individuals resided in Taiwan and other areas of the Asia Pacific region. Barracuda has reached out to all customers whose appliances may have been impacted. You can read more about the details of the group’s attack methodology here.