Barracuda Advises Full Replacement of Email Security Gateway -Total Compromise

• Barracuda Networks urges customers to fully replace Email Security Gateway (ESG) appliances after discovering a severe vulnerability that allowed attackers persistent backdoor access, and has offered to provide replacements at no additional cost.
• The vulnerability, which affected about 5% of ESG appliances worldwide, was exploited by what experts believe to be state actors who corrupted the firmware, making the malware exceptionally persistent and stealthy; Barracuda recommends customers also rotate any credentials connected to the compromised appliances.

Cybersecurity company Barracuda Networks has urged its customers to replace Email Security Gateway (ESG) appliances following the discovery of a severe vulnerability. The flaw, detected in mid-May, affected the software component responsible for screening email attachments for malware.

The company first learned of unusual traffic originating from its ESG devices on May 18, and consequently enlisted the incident response firm Mandiant to investigate. A day later, Barracuda acknowledged that malicious traffic exploited a hitherto unknown vulnerability in its ESG appliances. On May 20, Barracuda promptly issued a patch (CVE-2023-2868) for the said vulnerability.

However, in a surprising development, Barracuda updated its security advisory on June 6, recommending wholesale replacement rather than patching of the compromised ESG appliances. The advisory stressed the immediate replacement of affected units irrespective of the patch version.

Barracuda assured customers that replacements would be provided at no additional cost. “No other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability,” the company clarified in a statement. If an ESG appliance displays a notification in the user interface, it is an indicator of compromise.

Though only approximately 5% of active ESG appliances worldwide were affected as of June 8, 2023, Barracuda is advising replacement as a precautionary measure, citing evidence of persistent malware activity despite patch deployment.

Caitlin Condon from Rapid7 described the shift from patching to replacing devices as “fairly stunning”. She mentioned that nearly 11,000 vulnerable ESG devices are still connected to the internet globally. The replacement advisory implies that the malware deployed by the threat actors might achieve persistence at such a level that even wiping the device could not remove it, according to Condon.

Barracuda identified the malware on certain appliances and noted that it granted attackers persistent backdoor access. There were also instances of data exfiltration.

Nicholas Weaver, a researcher at the University of California, Berkeley’s International Computer Science Institute, posited that the malware might have corrupted the firmware of the ESG devices. “That’s not a ransomware actor, that’s a state actor,” he said, explaining that the depth of access and the stealthiness points to sophisticated actors rather than those behind ransomware.

In addition to appliance replacements, Barracuda has urged ESG customers to rotate any credentials connected to the appliances and search for indicators of compromise dating back to October 2022.

This incident highlights the critical nature of network security and the extent to which vulnerabilities can be exploited by malicious actors. The proactive steps taken by Barracuda aim to mitigate further exploitation and protect customer data.

About CVE-2023-2868

CVE-2023-2868 is a critical vulnerability identified by Barracuda Networks in its Email Security Gateway appliances, which affects versions 5.1.3.001-9.2.0.006. Discovered on May 19, 2023, this vulnerability is caused by inadequate input validation for file names within .tar archives, allowing a remote attacker to exploit the flaw and execute system commands via Perl’s qx operator. These commands would be executed with the privileges of the Email Security Gateway product. Barracuda’s investigation revealed that this vulnerability has been exploited by a third party to gain unauthorized access to a subset of their ESG appliances.