[UPDATED] Critical Vulnerability in Barracuda Networks' Email Security Gateway

Published on 31 May 2023 | Updated on 02 Aug 2023

Update as of 2 August:

CISA revealed that another new malware strain known as Submarine, a multi-component backdoor used for detection evasion, persistence, and data harvesting, was found on the compromised ESG appliances.

This additional malware was utilised by the attacker in response to Barracuda’s remediation actions in an attempt to create persistent access on ESG appliances. This malware appeared on a very small number of already compromised ESG appliances. 

Barracuda's recommendation remains unchanged. Users and administrators of compromised devices should contact Barracuda Support at support@barracuda.com immediately if their compromised device has not already been replaced.

More information is available here:

Update as of 16 June:

Users and administrators of Barracuda ESG appliances or any other ESG appliances should adopt hardening measures to protect their networks. These measures generally aim to restrict internal & external communications, and administrative access. 

For internal communications, ESG appliance interface(s) should be configured within a designated VLAN with restricted ingress and egress communications. Only allow-listed communications to defined applications and services should be permitted. Minimally, the following common protocols and ports should be blocked from the ESG appliance(s) as they could be leveraged for lateral movement:

  • SMB (TCP/445)
  • RDP (TCP/3389)
  • WMI (TCP/135 & TCP/1024 - TCP/65536)
  • WINRM (TCP/5985 & TCP/5986)
  • SSH (TCP/22)
  • HTTP / HTTPs (TCP/80 & TCP/443 [Inbound traffic])

For outbound communications to external addresses, ESG appliance(s) should be placed behind a Layer 7 firewall or network filtering appliance to reduce exposure and potential attack surface. Only necessary ports and services should be externally accessible based on the intended configuration. Additionally, outbound communications from the ESG appliances should follow a deny-list approach, allowing only application related services. This prevents potential backdoors or reverse shells from being deployed.

For administrative access to the ESG appliance, it should only be permitted via an allow-list only approach with no accessibility from the Internet. The management port should only be reachable from  pre-defined IP addresses. Should API access to the ESG be used for remote administration and configuration, the API password should be regularly and proactively rotated.

Update as of 6 June:

Barracuda Networks has updated that all compromised Email Security Gateway (ESG) devices needs to be replaced regardless of patch version level. Barracuda also added that affected customers should have already been notified via the ESGs' user interface (UI). Users and administrators of compromised devices should contact Barracuda Support at support@barracuda.com immediately if their compromised device has not already been replaced after receiving the notice.

Users and administrators of Barracuda ESG devices that were not compromised and have been updated to the latest versions should contact Barracuda support at support@barracuda.com to validate if their device is up to date. 

Original alert published on 31 May 2023:

Barracuda Networks has released security updates addressing a critical vulnerability (CVE-2023-2868) in its Email Security Gateway appliance.

Successful exploitation of the remote command injection vulnerability could allow a remote attacker to bypass input validation and remotely execute a system command using the privileges from the Email Security Gateway (ESG) appliance. This is due to incomplete input validation of user-supplied tape archives (.tar) files.

The vulnerability affects Barracuda Email Security Gateway versions 5.1.3.001 through 9.2.0.006.

Users and administrators of affected product versions are advised to adopt the following measures:

  • Block the network indicators-of-compromise identified by Barracuda (https://www.barracuda.com/company/legal/esg-vulnerability)
  • Review your organisation’s domain controller event logs for suspicious events such as failed logins, privilege escalation attempts and anomalous network traffic
  • Check your Active Directory (AD) for any unauthorised changes to user groups, accounts, their associated permissions and monitor your organisation's networks for anomalous network traffic communicating with the AD
  • Perform a full anti-virus scan of your organisation’s network to detect any malware deployed in the event of successful lateral movement from Barracuda’s vulnerable ESG appliance
  • Check your mail server logs for any unusual activities such as suspicious login attempts, unauthorised mail forwarding rules in all email accounts and new accounts created that were not authorised
  • Update Barracuda ESG appliance to the latest versions

More information is available here:
https://www.barracuda.com/company/legal/esg-vulnerability
https://status.barracuda.com/incidents/34kx82j5n4q9
https://nvd.nist.gov/vuln/detail/CVE-2023-2868
https://www.bleepingcomputer.com/news/security/cisa-warns-govt-agencies-of-recently-patched-barracuda-zero-day/
https://thehackernews.com/2023/05/barracuda-warns-of-zero-day-exploited.html
https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

 

Tags
Alerts Alerts & Advisories
Share