Thursday, 08 June 2023 12:33

Barracuda Email Security Gateway Appliances that were Exploited due to Zero-Day Must Be Replaced, not Patched

Written by

Reading time is around minutes.

After the disclosure of a serious Zero-Day that allowed an unauthenticated user to basically own the device. Barracuda is now saying that remediation action for any device that was compromised is a full replacement regardless of the firmware version. It seems that once an attacker gets their malware into the device, it is done. There is not a clean way to remove it and simply patching it does not disable the control that the attacker has on the device. It also seems that at factory resent does not clear it out.

Barracuda announced the vulnerability which allowed for the compromise of the appliance version of their email security gateway in May of 2023 along with patches to prevent infection on the 20th and 21st of May. The vulnerability (Tracked as CVE-2023-2868) is a code injection flaw that exists in a module used to screen attachments. The module had an incomplete input validation on the scanner. This allowed an attacker to send a properly named tar file to the device which in turn would be executed by Perl on the system with elevated privileges. The attack pattern was identified on May 18th, but attackers have been aware of the flaw since at least October of 2022.

With this code injection vulnerability, a number of Email Security Gateways were infected with Malware allowing for different levels of control over the appliance including data exfiltration of systems settings and email that passed through the gateway. The level of access that the attackers have is as concerning as is the fact that the malware is so embedded that you need to replace the appliance (physical or virtual) to get rid of it.

Barracuda’s official site lists an extended set of IOCs and YARA rules to allow for detection of a compromised appliance. If you are using one of these, we highly recommend making sure you are not compromised using the IOC available. If your appliance is clean, get it patched as quickly as possible, so you are not left in a vulnerable state and waiting on a new appliance. If you are compromised, Barracuda advises that you stop using the compromised appliance immediately. You should also change credentials for any LDAP/AD connections, FTP server connections, SMB accounts, Barracuda Cloud Control accounts and any Certificates in use on the appliance.

Read 521 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.