Attackers have exploited a critical zero-day vulnerability in Barracuda’s Email Security Gateway Appliance (ESG), allowing them to inject commands from the network. Barracuda has since distributed updates intended to address the situation. Developers explain that the vulnerability occurred when processing .tar archives. Insufficient filtering was performed in these archives, allowing the names specified within them to be used directly in Perl scripts. By manipulating file names in this way, attackers were able to inject system commands executed with the rights of the ESG software, creating a “critical” risk with a Common Vulnerability Scoring System (CVSS) score of 9.4 (CVE-2023-2868).
Barracuda has distributed updates automatically to all affected ESG appliances worldwide. Initially, the company issued a security patch on Saturday following discovery of the vulnerability the previous day. A second update was then provided on Sunday to fully contain the problem. However, the investigation has revealed that several ESG appliances had already undergone attacks and their access gained by the criminals.
For certain attacks where specific ESG appliances are identified as affected, IT analysts have provided instructions for users in the interface on which measures should be taken. Customers have also been contacted by Barracuda, although they have been advised to undertake a full examination of their IT environment to determine the spread of the cybercriminals. IT leaders should be aware and check their ESG Appliance thoroughly for warnings, along with ensuring updates have been applied correctly.