Barracuda Email Security Gateway
By Henry Nel, SOC Engineer
Published on: 14th June 2023
Discovered on May 19th by Barracuda, CVE 2023-2868 is a vulnerability which exists on the Barracuda Email Security Gateway (ESG) appliances on versions 5.1.3.001-9.2.0.006. This vulnerability allows attackers to perform remote code injection, enabling them to gain unauthorised access to the appliances. Evidence shows that although published in May, this vulnerability has been exploited in the wild since October 2022. Further investigation shows that the vulnerability was manipulated by attackers to exfiltrate data.
This vulnerability takes advantage of a failure to validate input of user supplied .tar files, as it pertains to the name of the files contained within the archive. As a result of this validation failure, a remote attacker can format file names in a way that would result in the execution of remote system commands through Perl’s qx operator using the privileges of the Email Security Gateway Product.
Attackers have crafted specific variants of malware which can be utilised to take advantage of this vulnerability and maintain persistence through backdoors. Below is a list of currently known malware and their identifying file paths:
SALTWATER
SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a subset of ESG appliances.
SEASPY
SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP) and port 587. Identified at path: /sbin/ on a subset of ESG appliances.
SEASIDE
SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port which it passes as arguments to an external binary that establishes a reverse shell.
Barracuda initially advised customers to patch affected devices to the most recent firmware version, however, the latest advice from Barracuda being to replace their devices immediately. The company released a statement stating “Impacted ESG appliances must be immediately replaced regardless of patch version level”. Adding onto this, Barracuda advised customers to contact their customer support team to obtain new replacement ESG virtual or hardware appliances.
Investigations from the Threat Intel team here at Communicate has shown that even as a critical vulnerability, the EPSS (Exploit Prediction Scoring System) puts the vulnerability at 1.64%, as customer appliances were automatically patched. For potentially compromised devices, there are at least 46 known indicators of compromise including file hashes, IP addresses, and hostnames. The threat actor, or threat actors, who exploited the vulnerability is currently unknown.
Speak to Communicate Technology if you need any further information around finding, detecting and mitigating this vulnerability via our enquiries email (https://communicate.technology/contact/), or by phone at 0800 404 8888
