Alert essentials:
A critical remote command vulnerability has resulted in Barracuda urging Email Security Gateway (ESG) users to replace affected appliances.

Email Team

Detailed threat description:
After discovering odd traffic from Barracuda gateways, Clients contacted Barracuda, who engaged Mandiant in an investigation. Mandiant found a critical remote command vulnerability used in the wild since October 2022. Customers of the affected products should have been notified by Barracuda.

The vulnerability stems from incomplete input validation of user-supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product. The flaw is in software that screens email attachments for malicious code, and a patch was pushed to devices on May 30th. A script to contain the incident was deployed to all affected devices the following day.

Soon after the deployment, malware was identified on a subset of Barracudas appliances, and their recommendation changed. Barracuda urges users to replace the appliances regardless of the installed patch version due to persistent backdoor access to the devices. In some cases, there was evidence of data exfiltration, and it is suspected that the underlying firmware was corrupted irreversibly.

Impact on healthcare organizations
This vulnerability can result in the exfiltration of patient ePHI as well as providing threat actors with ongoing access to the hospital network.

Affected products / versions

  • Versions 5.1.3.001-9.2.0.006
  • At this time, no other Barracuda products are known to have the malware

CVE

  • CVE-2023-2868

Recommendations

Engineering recommendations:

  • Review network logs for any of the IOCs and any unknown IPs
  • Rotate any applicable credentials connected to the ESG appliance:
    • Any connected LDAP/AD
    • Barracuda Cloud Control
    • FTP Server
    • SMB
    • Any private TLS certificates
  • Check logs for signs of compromise dating back to at least October 2022 using the network and endpoint indicators in the link below.

Leadership / program recommendations:

  • Discontinue using the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.
  • Barracuda’s investigation was limited to the ESG product and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: