Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Multiple D-Link D-View Vulnerabilities
May 26, 2023Rewterz Threat Advisory – CVE-2023-33234 – Apache Airflow CNCF Kubernetes Provider Vulnerability
May 29, 2023
Severity
High
Analysis Summary
An email protection and network security services provider has issued a warning regarding a zero-day vulnerability that has been exploited to compromise their Email Security Gateway (ESG) appliances. According to Barracuda, their security solutions are utilized by over 200,000 organizations worldwide. This customer base includes a range of companies, including high-profile organizations such as Samsung, Mitsubishi, Kraft Heinz, and Delta Airlines.
The zero-day vulnerability tracked as CVE-2023-2868 is classified as a remote code injection vulnerability. It affects Barracuda Email Security Gateway appliances running versions 5.1.3.001 through 9.2.0.006. Remote code injection vulnerabilities allow attackers to execute arbitrary code on a targeted system.
Barracuda Email Security Gateway (ESG) appliances is rooted in a component responsible for screening the attachments of incoming emails.
According to the advisory from the National Institute of Standards and Technology’s (NIST) National Vulnerability Database, the vulnerability is attributed to a failure to adequately sanitize the processing of .tar files (tape archives). This suggests that the issue lies in the handling or processing of .tar file attachments within the component responsible for screening incoming emails. Sanitization refers to the process of removing or neutralizing potentially malicious or harmful elements from data or files. In this case, the failure to properly sanitize .tar files could allow attackers to exploit the vulnerability and potentially execute malicious code or carry out unauthorized actions.
‘The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product’
Barracuda identified the vulnerability in the component responsible for screening email attachments on May 19, 2023. In response, the company promptly deployed a patch to address the issue across all Barracuda Email Security Gateway (ESG) devices worldwide on May 20. Additionally, as part of their containment strategy, a second fix was released on May 21.
“Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances,” they said.
According to Barracuda, their investigation into the compromised appliances was limited to the Email Security Gateway (ESG) product. Barracuda advised affected customers to conduct a thorough review of their environments to ensure that the attackers did not gain access to other devices on their network.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the remote code injection vulnerability affecting ESG appliances to its Known Exploited Vulnerabilities (KEV) catalog. CISA has specifically urged federal agencies to apply the necessary fixes for the vulnerability by June 16, 2023. This highlights the urgency of mitigating the risk associated with the vulnerability within the given timeframe.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
It is crucial for organizations using Barracuda Email Security Gateway appliances to address this vulnerability promptly. They should follow the guidance provided by Barracuda, including applying any available patches or updates that address the issue. Additionally, organizations should monitor official communications and advisories from Barracuda and consider implementing additional security measures to mitigate the risk associated with the vulnerability until it is fully resolved.
Impact
- Unauthorized Access
- Compromised Email Security
- Data Breach
Remediation
- Refer to this Barracuda link for patch, upgrade or suggested workaround information.
- Also, to remediate the zero-day vulnerability exploited to breach Barracuda Email Security Gateway (ESG) appliances, the following steps should be taken:
- Apply Patches and Updates: Barracuda has released patches and updates to address the vulnerability. It is crucial to promptly apply these patches to all affected ESG appliances within your organization. Follow the instructions provided by Barracuda to ensure the correct installation and configuration of the updates.
- Conduct a Security Assessment: Perform a thorough security assessment of the affected ESG appliances and the surrounding network infrastructure. This assessment should help identify any signs of compromise or unauthorized access. Review logs, access controls, and other relevant indicators to ensure that the vulnerability has not been exploited further or resulted in any additional breaches.
- Review Access Controls and Permissions: Assess and review the access controls and permissions configured on the Barracuda ESG appliances. Ensure that only authorized personnel have access to the devices and that proper authentication mechanisms are in place. Consider implementing multi-factor authentication (MFA) to enhance security.
- Monitor Network Traffic: Deploy network monitoring and intrusion detection systems to actively monitor network traffic for any suspicious activity or signs of compromise. Monitor outgoing traffic for any attempts to exfiltrate data or establish unauthorized connections. This can help identify and respond to any ongoing or future attacks.
- Enhance Email Security Measures: Review and update your email security measures beyond the Barracuda ESG appliances. Implement robust spam filters, antivirus software, and email content filtering to detect and block malicious emails and attachments. Educate employees about email security best practices, such as avoiding opening suspicious emails or clicking on unknown links.
- Stay Informed and Follow Best Practices: Continuously monitor official communications from Barracuda regarding the vulnerability and any further recommendations or updates. Stay informed about the latest cybersecurity best practices and ensure that your organization follows them to maintain a strong security posture.
- Incident Response and Recovery: Develop an incident response plan that outlines the steps to be taken in case of a security incident. This plan should include procedures for containing the breach, investigating the impact, notifying affected parties, and recovering affected systems.