Barracuda, the enterprise security company, revealed on Tuesday that threat actors have been exploiting a zero-day vulnerability in its Email Security Gateway (ESG) appliances, which was patched recently. The exploitation of this flaw has been ongoing since October 2022, allowing the threat actors to install backdoors on the affected devices.

Recent discoveries indicate that the critical vulnerability, identified as CVE-2023-2868 (CVSS score: 9.8), has been actively targeted and exploited for a minimum of seven months before its detection.

Barracuda detected the flaw on May 19, 2023, and it impacts versions 5.1.3.001 through 9.2.0.006 of their software. This vulnerability has the potential to enable remote attackers to execute arbitrary code on vulnerable installations. Barracuda promptly addressed the issue by releasing patches on May 20 and May 21.

 

Understanding Email Security gateway:

An email security gateway is a software or hardware solution that protects email systems from threats and ensures the security and availability of email communications. It acts as a gatekeeper between the internet and an organization’s email infrastructure, filtering incoming and outgoing email traffic to identify and mitigate potential risks. Key features include spam and phishing protection, antivirus and malware scanning, content filtering, data loss prevention, encryption and secure communications, authentication and identity verification, and reporting and auditing. By implementing an email security gateway, organizations can enhance email system security, protect against various threats, and ensure compliance with regulations.

Barracuda’s investigation focused on their ESG product, separate from customers’ corporate networks. To ensure the absence of spreading to other devices on the network, organizations affected are advised to review their environments.

In addition to the ESG vulnerability, Barracuda also addressed a login issue with Email Gateway Defense (EGD) appliances and a spam scoring rule that caused incorrect blocking of customer emails.

Barracuda’s enterprise-grade security solutions are trusted by more than 200,000 organizations globally, including prominent companies like Samsung, Mitsubishi, Kraft Heinz, and Delta Airlines.

As of the latest update, the critical vulnerability in the Barracuda Email Security Gateway (appliance form factor) has been assigned CVE-2023-2868. The flaw is a result of insufficient sanitization of .tar files, allowing remote command injection. Specifically, incomplete input validation of user-supplied .tar file names within the archive can lead to remote execution of system commands through Perl’s qx operator, utilizing the privileges of the Email Security Gateway product.

 

Insights on Malwares:

Till date three malwares have been found which are used to exploit the vulnerability:

1. SALTWATER: The trojanized module for the Barracuda SMTP daemon (bsmtpd) has been modified to perform various malicious activities. These include uploading or downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic in order to evade detection.
2. SEASPY: An x64 ELF backdoor that offers persistence capabilities and is activated by means of a magic packet.
3. SEASIDE: The Lua-based module for bsmtpd is designed to establish reverse shells by utilizing SMTP HELO/EHLO commands sent through the malware’s command-and-control (C2) server. This enables unauthorized remote access to the affected system.

CVE-2023-2868 impact:

• A subset of ESG (Email Security Gateway) appliances was subjected to unauthorized access through the utilization of CVE-2023-2868.
• A subset of appliances was found to be infected with malware, which enabled persistent backdoor access.
• Evidence of data exfiltration was discovered on a portion of the affected appliances.

 

Remediation:

1. The security patch aimed at resolving the vulnerability was globally applied to all ESG (Email Security Gateway) appliances.
2. As part of the incident containment and prevention of unauthorized access methods, a script was deployed to all affected appliances.
3. Additionally, a series of security patches are currently being deployed by Barracuda to all appliances as part of our ongoing containment strategy.
4. Barracuda has taken proactive measures to notify users whose appliances are believed to have been affected.
5. Implement comprehensive monitoring and analysis tools to track email traffic patterns and identify any unusual or suspicious activity.
6. Utilize security information and event management (SIEM) systems to correlate email gateway logs with other security events, enabling proactive threat detection and response.
7. Notifications have been sent to these users through the ESG (Email Security Gateway) user interface, outlining the necessary actions to be taken. Furthermore, Barracuda has directly reached out to these specific customers to provide them with relevant information and assistance.