Published on 31 May 2023 | Updated on 02 Aug 2023
Update as of 16 June:
Users and administrators of Barracuda ESG appliances or any other ESG appliances should adopt hardening measures to protect their networks. These measures generally aim to restrict internal & external communications, and administrative access.
For internal communications, ESG appliance interface(s) should be configured within a designated VLAN with restricted ingress and egress communications. Only allow-listed communications to defined applications and services should be permitted. Minimally, the following common protocols and ports should be blocked from the ESG appliance(s) as they could be leveraged for lateral movement:
For outbound communications to external addresses, ESG appliance(s) should be placed behind a Layer 7 firewall or network filtering appliance to reduce exposure and potential attack surface. Only necessary ports and services should be externally accessible based on the intended configuration. Additionally, outbound communications from the ESG appliances should follow a deny-list approach, allowing only application related services. This prevents potential backdoors or reverse shells from being deployed.
For administrative access to the ESG appliance, it should only be permitted via an allow-list only approach with no accessibility from the Internet. The management port should only be reachable from pre-defined IP addresses. Should API access to the ESG be used for remote administration and configuration, the API password should be regularly and proactively rotated.
Update as of 6 June:
Barracuda Networks has updated that all compromised Email Security Gateway (ESG) devices needs to be replaced regardless of patch version level. Barracuda also added that affected customers should have already been notified via the ESGs' user interface (UI). Users and administrators of compromised devices should contact Barracuda Support at support@barracuda.com immediately if their compromised device has not already been replaced after receiving the notice.
Users and administrators of Barracuda ESG devices that were not compromised and have been updated to the latest versions should contact Barracuda support at support@barracuda.com to validate if their device is up to date.
Original alert published on 31 May 2023:
Barracuda Networks has released security updates addressing a critical vulnerability (CVE-2023-2868) in its Email Security Gateway appliance.
Successful exploitation of the remote command injection vulnerability could allow a remote attacker to bypass input validation and remotely execute a system command using the privileges from the Email Security Gateway (ESG) appliance. This is due to incomplete input validation of user-supplied tape archives (.tar) files.
The vulnerability affects Barracuda Email Security Gateway versions 5.1.3.001 through 9.2.0.006.
Users and administrators of affected product versions are advised to adopt the following measures:
More information is available here:
https://www.barracuda.com/company/legal/esg-vulnerability
https://status.barracuda.com/incidents/34kx82j5n4q9
https://nvd.nist.gov/vuln/detail/CVE-2023-2868
https://www.bleepingcomputer.com/news/security/cisa-warns-govt-agencies-of-recently-patched-barracuda-zero-day/
https://thehackernews.com/2023/05/barracuda-warns-of-zero-day-exploited.html
https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally