Rewterz Threat Update – Barracuda Issues Warning Regarding Zero-Day Exploitation to Breach Email Security Gateway (ESG) Appliances

Severity

High

Analysis Summary

An email protection and network security services provider has issued a warning regarding a zero-day vulnerability that has been exploited to compromise their Email Security Gateway (ESG) appliances. According to Barracuda, their security solutions are utilized by over 200,000 organizations worldwide. This customer base includes a range of companies, including high-profile organizations such as Samsung, Mitsubishi, Kraft Heinz, and Delta Airlines. 

The zero-day vulnerability tracked as CVE-2023-2868 is classified as a remote code injection vulnerability. It affects Barracuda Email Security Gateway appliances running versions 5.1.3.001 through 9.2.0.006. Remote code injection vulnerabilities allow attackers to execute arbitrary code on a targeted system.

Barracuda Email Security Gateway (ESG) appliances is rooted in a component responsible for screening the attachments of incoming emails. 

According to the advisory from the National Institute of Standards and Technology’s (NIST) National Vulnerability Database, the vulnerability is attributed to a failure to adequately sanitize the processing of .tar files (tape archives). This suggests that the issue lies in the handling or processing of .tar file attachments within the component responsible for screening incoming emails. Sanitization refers to the process of removing or neutralizing potentially malicious or harmful elements from data or files. In this case, the failure to properly sanitize .tar files could allow attackers to exploit the vulnerability and potentially execute malicious code or carry out unauthorized actions.

‘The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product’

Barracuda identified the vulnerability in the component responsible for screening email attachments on May 19, 2023. In response, the company promptly deployed a patch to address the issue across all Barracuda Email Security Gateway (ESG) devices worldwide on May 20. Additionally, as part of their containment strategy, a second fix was released on May 21.

“Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances,” they said.

According to Barracuda, their investigation into the compromised appliances was limited to the Email Security Gateway (ESG) product. Barracuda advised affected customers to conduct a thorough review of their environments to ensure that the attackers did not gain access to other devices on their network. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the remote code injection vulnerability affecting ESG appliances to its Known Exploited Vulnerabilities (KEV) catalog. CISA has specifically urged federal agencies to apply the necessary fixes for the vulnerability by June 16, 2023. This highlights the urgency of mitigating the risk associated with the vulnerability within the given timeframe.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.

It is crucial for organizations using Barracuda Email Security Gateway appliances to address this vulnerability promptly. They should follow the guidance provided by Barracuda, including applying any available patches or updates that address the issue. Additionally, organizations should monitor official communications and advisories from Barracuda and consider implementing additional security measures to mitigate the risk associated with the vulnerability until it is fully resolved.

Impact

• Unauthorized Access
• Compromised Email Security
• Data Breach

Remediation

• Refer to this Barracuda link for patch, upgrade or suggested workaround information.
• Also, to remediate the zero-day vulnerability exploited to breach Barracuda Email Security Gateway (ESG) appliances, the following steps should be taken:
• Apply Patches and Updates: Barracuda has released patches and updates to address the vulnerability. It is crucial to promptly apply these patches to all affected ESG appliances within your organization. Follow the instructions provided by Barracuda to ensure the correct installation and configuration of the updates.
• Conduct a Security Assessment: Perform a thorough security assessment of the affected ESG appliances and the surrounding network infrastructure. This assessment should help identify any signs of compromise or unauthorized access. Review logs, access controls, and other relevant indicators to ensure that the vulnerability has not been exploited further or resulted in any additional breaches.
• Review Access Controls and Permissions: Assess and review the access controls and permissions configured on the Barracuda ESG appliances. Ensure that only authorized personnel have access to the devices and that proper authentication mechanisms are in place. Consider implementing multi-factor authentication (MFA) to enhance security.
• Monitor Network Traffic: Deploy network monitoring and intrusion detection systems to actively monitor network traffic for any suspicious activity or signs of compromise. Monitor outgoing traffic for any attempts to exfiltrate data or establish unauthorized connections. This can help identify and respond to any ongoing or future attacks.
• Enhance Email Security Measures: Review and update your email security measures beyond the Barracuda ESG appliances. Implement robust spam filters, antivirus software, and email content filtering to detect and block malicious emails and attachments. Educate employees about email security best practices, such as avoiding opening suspicious emails or clicking on unknown links.
• Stay Informed and Follow Best Practices: Continuously monitor official communications from Barracuda regarding the vulnerability and any further recommendations or updates. Stay informed about the latest cybersecurity best practices and ensure that your organization follows them to maintain a strong security posture.
• Incident Response and Recovery: Develop an incident response plan that outlines the steps to be taken in case of a security incident. This plan should include procedures for containing the breach, investigating the impact, notifying affected parties, and recovering affected systems.