Barracuda Networks is facing a massive problem with its e-mail security products. All affected ESG appliances must be replaced, including those from customers who have already obediently installed a previously released patch.
Email Security Gateway (ESG) appliances from Barracuda may be affected by vulnerability CVE-2023-2868. This vulnerability enables a remote command injection attack. The vulnerability was found on May 19, 2023, in Barracuda ESG appliances versions 5.1.3.001-9.2.0.006. SaaS email security services are reported to be secure.
Affected ESG appliances should be replaced. To that end, the company urges its customers themselves: “Impacted ESG appliances must be immediately replaced regardless of patch version level.”
Barracuda notify owners of affected ESG devices through a notification in the User Interface or by a Barracuda Technical Support Representative. They should contact them at the email address firstname.lastname@example.org.
Barracuda is reviewing the causes of the problem with Mandiant. The preliminary investigation has already revealed the cause of the vulnerability: “The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive.” Hackers can therefore format file names so that the file elicits the execution of a particular system command. To do this, the file abuses the rights of the ESG product.
In short, the vulnerability enables a command injection attack. This is a type of cyber attack in which hackers direct an infiltrated operating system to execute arbitrary commands. In most cases, this attack results from insufficient input validation, which is also the case for Barracuda.
What makes the vulnerability at Barracuda so critical is that the hacker does not need physical access to the devices to launch an attack. Everything is done remotely, which makes exploitation easy. Hackers exploit the vulnerability using two types of malware, “Saltwater” and “SeaSpy. By installing the malware on vulnerable devices, hackers could steal sensitive corporate information. They had plenty of time to develop the malware, as the vulnerability had existed for eight months at the time of discovery.
Barracuda likes to promote itself as a major player in email security. ESG appliances serve that purpose as a security solution for filtering incoming and outgoing mail traffic that is supposed to keep customer data safe. That it is now urging its customers to remove those devices altogether could put a big dent in its image.
An email security specialist does not make such a call without thoroughly analysing the options. If that analysis shows that a complete replacement is the best option, then the avenues of patching must have become impossible.
Incidentally, the company previously seemed confident about patching. A patch was issued May 20, one day after the vulnerability was found, and applied to all ESG devices. On June 6, the company updated this statement and to resolve the problem customers need to replace the affected devices.
We asked Barracuda to explain more about the patch’s shortcomings and how the company will compensate affected customers. Barracuda states that it only wants to communicate through official press releases and forwarded us the message.
Barracuda’s last media release was dated June 8. It states that an estimated five percent of active ESG devices contain traces indicating infiltration. “Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.”
According to security researchers at Rapid7, about 11,000 vulnerable ESG devices are still connected to the Internet. In absolute numbers, the extent of the problem becomes more apparent. Furthermore, we asked how customers could secure their email applications while hardware gets replaced, but this question remains unanswered.
Replacing a physical device involves a lot of hardware costs. On cost recovery, the company says, “Barracuda is providing the replacement product to impacted customer at no cost.” It does not say anything about compensation for lost company information or compensation for the labor hours required to replace all hardware.
While the call for complete replacement is drastic, the choice is to the company’s credit. That Barracuda is not gambling on a cover-up means that the company takes its job seriously. As a security specialist, the priority should be securing your customers. Keeping the problem secret for as long as possible could have far greater consequences. After all, who trusts a security specialist who himself has long known about a leak?
Security experts and the broader Internet do not take kindly to companies giving misinformation or keeping things secret. The LastPass incident, which occurred on the cusp of 2022, proved that. How Barracuda further handles the problem with affected customers could further shape public opinion.