Exploitation of Barracuda Email Security Gateway (ESG) appliances has made the news recently, including on-going investigation into the attacks. Leveraging a zero-day vulnerability as far back as October 2022, attackers compromised ESG targets to deploy malware that created persistent backdoor access on victim networks. This unauthorized access could have been used by attackers as a foothold for further network exploration or lateral movement, and evidence does exist that some attackers stole data via these compromised ESG targets. Barracuda identified the exploited vulnerability (known as CVE-2023-2868 with a “critical” CVSS score of 9.8) and has pushed fixes out to ESG devices worldwide, but even with these fixes, unauthorized presence on compromised networks can still exist if attackers already located and leveraged another exploitable target on the victim network. CISA has also added this vulnerability to their KEV catalog, with a BOD 22-01 due date of June 16th, 2023.
What is the Barracuda Email Security Gateway?
The Barracuda Email Security Gateway (ESG) is offered as a complete email management solution. In addition to traditional email service and management, ESGs provide security-focused capabilities such as message encryption and email filtering (for catching threats and data exfiltration). ESGs exist as both physical appliances and virtual appliances.
What is the impact?
Barracuda identified a command injection vulnerability (CVE-2023-2868, CVSS score 9.8) that exists in ESG versions 5.1.3.001 through 9.2.0.006. Due to ineffective input sanitization, a specially crafted tar archive file can be sent to vulnerable ESG targets to trigger unauthorized command execution as the ESG user. While Barracuda has made software updates available, the possibility that attackers used exploited ESG targets to pivot to – and potentially establish persistence on – other systems in a victim network is a real threat.
Are updates available?
On May 20th, Barracuda pushed out a fix to all ESGs worldwide. This was followed by a script pushed out on May 21st to “contain the incident and counter unauthorized access methods.” Barracuda continues to push security patches as part of their containment strategy. Owners or admins of Barracuda Email Security Gateway appliances should verify their ESG instances are accepting and applying current updates being sent out by Barracuda, and can also check for indicators of compromise.
How do I find potentially vulnerable Barracuda Email Security Gateways with runZero?
hw:"Barracuda Email Security Gateway"
Results from the above query should be triaged to verify they are running Barracuda’s latest patches.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Barracuda devices?
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.