In a series of recent revelations, Barracuda Networks has announced a critical vulnerability in their Email Security Gateway (ESG) appliance. The flaw, designated CVE-2023-2868, is severe enough to necessitate the immediate replacement of all affected ESG appliances, irrespective of their patch version level.
A Vulnerability That Calls for Immediate Action
Discovered on May 19, 2023, the vulnerability originated in a module which scans attachments in incoming emails. The compromised ESG appliances have been used to gain unauthorized access and execute system commands remotely. The existence of this flaw dates back to October 2022, based on the evidence currently available.
In the course of the investigation, malware was found on a subset of appliances, enabling persistent backdoor access. There was also evidence of data exfiltration from some impacted appliances. Barracuda has already alerted the affected customers via the ESG user interface and initiated direct communication.
CVE-2023-2868: The Deep Dive
The vulnerability, CVE-2023-2868, allows remote command injection, thanks to incomplete input validation of user-supplied .tar files. Specifically, a remote attacker could format filenames in a way that would lead to the execution of a system command through Perl’s qx operator.
This security issue was used to gain unauthorized access to a subset of ESG appliances. However, Barracuda has confirmed that no other products, including their SaaS email security services, have been affected by this vulnerability.
The Trojan and the Backdoors
The investigation has uncovered a trojanized module named ‘SALTWATER’ for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The capabilities of SALTWATER include uploading or downloading arbitrary files, executing commands, and providing proxy and tunneling capabilities.
In addition, two other malware variants were identified: ‘SEASPY,’ an x64 ELF persistence backdoor, and ‘SEASIDE,’ a Lua-based module monitoring SMTP HELO/EHLO commands to establish a reverse shell.
Next Steps for Impacted Customers
Impacted customers are being advised to ensure their ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. The use of the compromised ESG appliance should be discontinued, and Barracuda support should be contacted to obtain a new ESG virtual or hardware appliance.
Moreover, it is crucial to rotate all applicable credentials connected to the ESG appliance and review network logs for any of the indicators of compromise (IOCs) listed by Barracuda.
Get the IOC dataset via the official Barracuda website.