Barracuda warns customers of a zero-day vulnerability exploited to hack ESG appliances
Barracuda Networks has issued a warning to customers about a zero-day vulnerability that has been exploited to hack the company’s Email Security Gateway (ESG) appliances. The zero-day has been tracked as CVE-2023-2868, and was addressed with a patch (BNSF-36456) that has been automatically applied to all impacted appliances.
An entry in NIST’s vulnerability database describes CVE-2023-2868 as a remote command injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006 of the Barracuda ESG appliance.
“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the advisory explains.
Barracuda said the zero-day was discovered on May 19 and a patch was rolled out to all ESG appliances the next day. A second fix was released on May 21 that the company described as its ‘containment strategy’.
“The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability,” the company noted.
Barracuda’s ongoing investigation showed that “the vulnerability resulted in unauthorized access to a subset of email gateway appliances”.
Users who have been impacted have been notified through the ESG user interface and provided with instructions on the actions they need to take.
“Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take,” Barracuda recommended.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.