[German]Vendor Barracuda is warning of a 0-day vulnerability in its Email Security Gateway Appliance (ESG) that was discovered on May 19, 2023, following an attack. The vendor has since released security updates to close this vulnerability on the affected appliances on May 20 and 21, 2023. Those who use Barracuda's products and were affected should have received notification via the appliances' interface.
Barracuda published this article on the CVE-2023-2868 vulnerability in its Email Security Gateway Appliance (ESG). I became aware of the issue via the following tweet from colleagues at Bleeping Computer.
A Remote Command Injection vulnerability CVE-2023-2868 was discovered in Barracuda`s Email Security Gateway Appliance (ESG) on May 19, 2023. The vulnerability lies in the insufficient validation of .tar files (tape archive files) when the file names are read. As a result, an attacker can format these filenames in a specific way that results in a system command being executed remotely via the qx operator from Perl with the privileges of the Email Security Gateway product.
The affected product is Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001 through 9.2.0.006. A security patch to address the vulnerability was applied to all ESG appliances worldwide on May 20, 2023. According to Barracuda, the vulnerability existed in a module that initially scans attachments of incoming emails. According to Barracuda, no other products (includes SaaS email security services) are affected by this vulnerability.
However, the first patch on Saturday appears to have been insufficient. Barracuda writes that the vulnerability led to unauthorized access to a subset of its email gateway appliances. To secure the affected ESG appliances, a second patch was rolled out to those instances on May 21, 2023. Users whose appliances the vendor believed were affected were notified via the ESG user interface of the action to be taken. Barracuda also reached out to those customers.
Cookies helps to fund this blog: Cookie settings