Barracuda Networks Patches Zero-day Vulnerability In Email Security Gateway Appliance

1. Barracuda Networks swiftly identified and patched a vulnerability (CVE-2023-2868) in its Email Security Gateway appliance (ESG) on May 20, 2023, just a day after discovery. The flaw allowed unauthorized access to a subset of appliances, prompting a secondary patch on May 21.
2. While the investigation remains ongoing, impacted users have been notified with instructions on necessary actions. Barracuda is urging customers to review their environments for additional steps they might need to take, with updates provided on the company’s product status page and Trust Center.

Barracuda Networks has discovered and patched a significant vulnerability in its Email Security Gateway appliance (ESG) this week. The cyber defense company acknowledged the existence of this vulnerability, coded CVE-2023-2868, on May 19, 2023.

The security issue was located within a module that screens the attachments of incoming emails on ESG appliances. The flaw has been patched for all ESG appliances worldwide just a day after its detection, on Saturday, May 20, 2023. Importantly, no other Barracuda products, including their SaaS email security services, were affected by this vulnerability.

According to the company’s incident report, the vulnerability had allowed unauthorized access to a subset of email gateway appliances. Barracuda took immediate steps to investigate the issue and a secondary patch was released on May 21, 2023, as part of their containment strategy.

Barracuda has informed users with impacted appliances, providing notification via the ESG user interface regarding the necessary actions. Additionally, the company has reached out to affected customers directly.

The investigation is ongoing as the company continues to monitor the situation. Barracuda has expressed commitment to transparent communication throughout this process and will share updates on its product status page and Trust Center, along with direct outreach to impacted customers.

While the investigation focused specifically on the ESG product, Barracuda is urging affected customers to review their specific environments to determine any additional actions they might need to take. The objective is to ensure that customers can effectively respond to any potential impacts resulting from this vulnerability.

About CVE-2023-2868
CVE-2023-2868 is a remote command injection vulnerability in the Barracuda Email Security Gateway (ESG) appliance. The vulnerability exists in the way that the ESG handles tar files. An attacker could exploit this vulnerability by sending a specially crafted tar file to the ESG appliance. When the ESG appliance opens the tar file, it would execute any commands that are contained in the file. This could allow an attacker to take control of the ESG appliance and execute arbitrary commands on the underlying operating system.

The vulnerability was discovered by security researcher Kevin Beaumont. Barracuda has released a patch for the vulnerability. Users are advised to apply the patch as soon as possible.

Here are some additional details about the vulnerability:

• The vulnerability is in the way that the ESG handles tar files.
• An attacker could exploit this vulnerability by sending a specially crafted tar file to the ESG appliance.
• When the ESG appliance opens the tar file, it would execute any commands that are contained in the file.
• This could allow an attacker to take control of the ESG appliance and execute arbitrary commands on the underlying operating system.
• The vulnerability was discovered by security researcher Kevin Beaumont.
• Barracuda has released a patch for the vulnerability.
• Users are advised to apply the patch as soon as possible.