Operating System:

[Appliance]

Published:

09 June 2023

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2023.0107 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2023.0107
      Barracuda Email Security Gateway Appliance (ESG) Vulnerability
                                9 June 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Barracuda Email Security Gateway Appliance (ESG)
Operating System: Network Appliance
Resolution:       Device Replacement
CVE Names:        CVE-2023-2868  

Comment: CVSS (Max):  9.8 CVE-2023-2868 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OVERVIEW

        Barracuda recently discovered a remote connection injection vulnerability in their 
        Email Security Gateway (ESG) devices [1].  It was reported that there is evidence of 
        exploitation of this by attackers as early as October 2022 [1].  Despite various
        patches and methods of identifying compromise being released, Barricuda's latest 
        advice is to immediately replace impacted devices [1][2][3].


IMPACT

        On May 30, Barracuda released details of the vulnerability (CVE-2023-2868)
        being used to gain unauthorized access to a subset of ESG appliances [1].  
        Malware was identified allowing for persistent backdoor access and evidence 
        of data exfiltration was seen [1].


MITIGATION

        A comprehensive write up of the vulnerability and its history has been provided 
        by Barracuda [1].  There are details on the vulnerability including indicators 
        of compromise (IOCs). Despite the earlier release and push out to the devices of 
        various patches, their latest recommendation as of June 6, 2023 is:
        "Impacted ESG appliances must be immediately replaced regardless of 
         patch version level." [1]
        "Barracuda's remediation recommendation at this time is full replacement 
         of the impacted ESG." [1] 


REFERENCES

        [1] Barracuda Email Security Gateway Appliance (ESG) Vulnerability
            https://www.barracuda.com/company/legal/esg-vulnerability

        [2] Barracuda says hacked ESG appliances must be replaced immediately
            https://www.bleepingcomputer.com/news/security/barracuda-says-hacked-esg-appliances-must-be-replaced-immediately/

        [3] CVE-2023-2868: Total Compromise of Physical Barracuda ESG
            Appliances
            https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZIKlY8kNZI30y1K9AQhJDA//adeMvDL064JUAOlReZ86lINMrQ29TaDC
8z2+9voISJ0aEhtZTiHElAUOe7BDXXMzUHQ1r+v6EjxJjxoGA6cKlLpcYex6cVnY
5zQFcBIZ4vXPsEUkUk3DmnfqgTAgEsH41PwzUC8b0zKsk/OkFWVuMwmmUnWQd1Zg
eX8VglD63kUQguRr7mlj8ZIiBkB0Mam+jNH7DWQP45O9BbISvZFiukOo19ScqVcg
diy4nQJpKbNwU8uOb5BQ7fPbjH5KO73FOtUCk6ROUkD//a8mpW5VwxZLVIzxp0jd
3NiDs8TJUcLYd8mx2IUvWd8kwLrZQatR8L/YV3Nu4MOqOnQRaIzvCKROcO5osRTP
xRheK8/BHZIBFV3hDMLHx4whoQNk39py2rKnRq9viu80nns/2MJdOJjn4bM2fJVl
NcHRFbZ/1PNLZEit5805kQjAkYsLJlOzookwHcki6Hcl8O75b65xpy0EiW+zajE4
fA+UFl7YfrCOUQi9iG7Sq/R/U57nCZi0M2STycRrpYNIvB3OpVDjyNHfaP4c/JZs
q2QjwSAmldZ6HfGOAK1sTnr6RSR2gpV675cIEF7E5IDUCN+TIZYvskUHjjB++RrD
F5/ExbfTod3AX/PvwE6ZQiccWQRm6QlACSFYd5wEfDkFq+0TC28KWGbWUr4HL+UW
3UhIjO0ecF8=
=HimC
-----END PGP SIGNATURE-----