Security News > 2023 > May > Barracuda email security appliances hacked via zero-day vulnerability (CVE-2023-2868)

A vulnerability in Barracuda Networks' Email Security Gateway appliances has been exploited by attackers, the company has warned.

CVE-2023-2868 is a critical remote command injection vulnerability affecting only physical Barracuda Email Security Gateway appliances, versions 5.1.3.001 - 9.2.0.006.

"The vulnerability arises out of a failure to comprehensively sanitize the processing of.tar file. [It] stems from incomplete input validation of a user-supplied.tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product," says the official CVE listing.

The company identified the vulnerability on May 19, 2023, and pushed a patch to all ESG appliances worldwide on May 20, 2023.

"As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers," the company said, but did not explain what the second patch does.

Reddit users on the sysadmin subreddit have lamented the vagueness of the public alert and one of them shared the email sent by Barracuda's support team, in which it advised customers to rotate any credentials connected to the ESG appliance: LDAP, AD, Barracuda Cloud Control, FTP and SMB credentials, as well as any private TLS certificates.

News URL

https://www.helpnetsecurity.com/2023/05/25/cve-2023-2868/