Finding Barracuda Email Security Gateways
Exploitation of Barracuda Email Security Gateway (ESG) appliances has made the news recently, including on-going investigation into the attacks. Leveraging a zero-day vulnerability as far back as October 2022, attackers compromised ESG targets to deploy malware that created persistent backdoor access on victim networks. This unauthorized access could have been used by attackers as a foothold for further network exploration or lateral movement, and evidence does exist that some attackers stole data via these compromised ESG targets. Barracuda identified the exploited vulnerability (known as CVE-2023-2868 with a “critical” CVSS score of 9.8) and has pushed fixes out to ESG devices worldwide, but even with these fixes, unauthorized presence on compromised networks can still exist if attackers already located and leveraged another exploitable target on the victim network. CISA has also added this vulnerability to their KEV catalog, with a BOD 22-01 due date of June 16th, 2023.
What is the Barracuda Email Security Gateway? #
The Barracuda Email Security Gateway (ESG) is offered as a complete email management solution. In addition to traditional email service and management, ESGs provide security-focused capabilities such as message encryption and email filtering (for catching threats and data exfiltration). ESGs exist as both physical appliances and virtual appliances.
What is the impact? #
Barracuda identified a command injection vulnerability (CVE-2023-2868, CVSS score 9.8) that exists in ESG versions 5.1.3.001 through 9.2.0.006. Due to ineffective input sanitization, a specially crafted tar archive file can be sent to vulnerable ESG targets to trigger unauthorized command execution as the ESG user. While Barracuda has made software updates available, the possibility that attackers used exploited ESG targets to pivot to – and potentially establish persistence on – other systems in a victim network is a real threat.
Are updates available? #
On May 20th, Barracuda pushed out a fix to all ESGs worldwide. This was followed by a script pushed out on May 21st to “contain the incident and counter unauthorized access methods.” Barracuda continues to push security patches as part of their containment strategy. Owners or admins of Barracuda Email Security Gateway appliances should verify their ESG instances are accepting and applying current updates being sent out by Barracuda, and can also check for indicators of compromise.
How do I find potentially vulnerable Barracuda Email Security Gateways with runZero? #
hw:"Barracuda Email Security Gateway"
Results from the above query should be triaged to verify they are running Barracuda’s latest patches.
Get runZero for free
Don’t have runZero and need help finding potentially vulnerable Barracuda devices?Get started
September 29, 2023
How to find WS_FTP Server instances?
How to find WS_FTP Server instances? # On September 27th, Progress Sofware announced eight vulnerabilities in the WS_FTP Server software. These issues can lead to a full compromise of exposed WS_FTP systems and their data through the FTP, SSH, and web management services, …Read More
September 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …Read More
September 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …Read More