This exploit code allows hacking into Barracuda Email Security Gateway (ESG) appliance

Rapid7 published detailed anaysis and exploit of flaw in Barracuda Email Security Gateway (ESG) appliance. It has been discovered that versions 5.1.3.001–9.2.0.006 of the Barracuda Email Security Gateway (ESG) appliance are susceptible to a remote command injection vulnerability. This flaw, which was assigned the identifier CVE-2023-2868 and had a CVSS score of 9.8, was discovered. Since October 2022, it has been subject to systematic exploitation.The error occurred because the processing of.tar files, often known as tape archives, was not thoroughly sanitized. This vulnerability arises as a result of incomplete input validation of a user-supplied [.]tar file with regard to the names of the files included inside the archive.

As a consequence of this, a remote attacker is able to build these file names to allow remote system command execution by using Perl’s qx operator and the capabilities of the software known as Email Security Gateway.This issue was fixed with the BNSF-36456 patch, which was released recently. This patch was automatically installed on each and every appliance that a client had.

According to the results provided by Rapid7, the researchers carried out their examination using a pre-owned Barracuda ESG 300 equipped with firmware version 8.0.1.001. They rapidly validated effective command execution against the real device by utilizing the PoC to execute ping and dig commands, as well as doing some fundamental fuzzing. They immediately established that these instructions were effective by using dnschef and wireshark on all of the traffic! In order to get shell access, the following payload was used, which was also mentioned in the Mandiant alert.

The Barracuda Email Security Gateway (ESG) is a service that not only filters incoming and outgoing email but also protects client data. The Enterprise Security Group (ESG) may be deployed as a physical or virtual appliance, as well as in the public cloud on Amazon Web Services (AWS) or Microsoft Azure. Barracuda has published a detailed analysis of the situation up to this point, which includes information on substantial evidence of infiltration, fresh vulnerability details, and specifics on the backdoored module for Barracuda’s SMTP daemon. According to reports, as of June 8 (Barracuda Networks Spam Firewall smtpd), there seemed to be around 11,000 appliances on the internet that ran the “Barracuda Networks Spam Firewall” SMTP daemon. This information was derived from a known ESG appliance.

Therefore, customers of the Barracuda Email Security Gateway who have physical appliances need to immediately upgrade their firmware to the most recent version.