Blog

Barracuda Networks Recommends Customers to Replace Hacked ESGs despite Patches

Now Reading

In May 2023, the 0-day vulnerability CVE-2023-2868 was fixed in Barracuda Networks products, which hackers used for more than six months and broke ESG, but the problems did not end there.

While patches were eventually released for the problem, the manufacturer has now unexpectedly stated that customers should stop using hacked Email Security Gateways (ESG) and replace them, even if they received patches.

Let me remind you that we also wrote that Over 4,000 Servers Are Still Vulnerable to Critical Bug in Sophos Firewall, and also that Emsisoft Says Hackers Are Spoofing Its Certificates.

Also, you might be interested in the article: Email Security Tactics – How to Stay Safe from Online Threats.

Information about the critical RCE vulnerability CVE-2023-2868 (9.8 points on the CVSS scale) appeared in mid-May of this year. At the time, it was reported that the problem affects versions 5.1.3.001 through 9.2.0.006 and allows a remote attacker to execute arbitrary code.

The vulnerability arises due to insufficiently comprehensive verification when processing .tar files (tape archives). The vulnerability occurs due to insufficient validation of the user-provided .tar file, namely the names of the files contained in the archive. As a consequence, a remote attacker could format the names of these files in a certain way, which would cause a system command to be executed remotely via Perl qx with Email Security Gateway privileges.it was reported in May.

As a result, patches for this problem were released on May 20 and 21, 2023, however, Barracuda Networks, whose products are used by more than 200,000 customers worldwide, including Samsung, Delta Airlines, Mitsubishi and Kraft Heinz, warned that the vulnerability was used by attackers in attacks with October 2022.

Malware was found on a number of devices that allows establishing permanent access through a backdoor. Also, some devices showed signs of data leakage.the manufacturer said.

Then the experts said that three malware samples were associated with the exploitation of the CVE-2023-2868 vulnerability:

SALTWATER, a trojanized module for the Barracuda SMTP daemon (bsmtpd), capable of uploading and downloading arbitrary files, executing commands, and proxying and tunneling malicious traffic for greater stealth;
SEASPY is a backdoor in ELF x64 format that can gain a foothold in the system and is activated using a magic package;
SEASIDE is a Lua-based module for bsmtpd that installs reverse shells via SMTP HELO/EHLO commands received via the malware’s C&C server.

The manufacturer released a new statement this week, surprisingly saying that all customers affected by the newly discovered vulnerability should immediately stop using compromised Email Security Gateways (ESGs) and replace them.

All affected ESG devices should be replaced immediately, regardless of the version of the patch installed.the company said.

They also add that now the recommendation to fix the problem is “total replacement of the affected ESG.”

The company does not say what was the reason for this statement and such drastic measures. It can be assumed that the attackers behind the newly discovered attacks managed to infiltrate the ESG firmware at a deeper level, and the patches simply cannot completely eliminate the threat.

According to Barracuda, affected customers have already been notified through the ESG user interface. Customers who have not yet had time to replace their devices are strongly advised to urgently contact support via email.

likethis

What's your reaction?

Love It

Like It

Want It

Had It

Hated It

Posted In