Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2023.0107 Barracuda Email Security Gateway Appliance (ESG) Vulnerability 9 June 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Barracuda Email Security Gateway Appliance (ESG) Operating System: Network Appliance Resolution: Device Replacement CVE Names: CVE-2023-2868 Comment: CVSS (Max): 9.8 CVE-2023-2868 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H OVERVIEW Barracuda recently discovered a remote connection injection vulnerability in their Email Security Gateway (ESG) devices [1]. It was reported that there is evidence of exploitation of this by attackers as early as October 2022 [1]. Despite various patches and methods of identifying compromise being released, Barricuda's latest advice is to immediately replace impacted devices [1][2][3]. IMPACT On May 30, Barracuda released details of the vulnerability (CVE-2023-2868) being used to gain unauthorized access to a subset of ESG appliances [1]. Malware was identified allowing for persistent backdoor access and evidence of data exfiltration was seen [1]. MITIGATION A comprehensive write up of the vulnerability and its history has been provided by Barracuda [1]. There are details on the vulnerability including indicators of compromise (IOCs). Despite the earlier release and push out to the devices of various patches, their latest recommendation as of June 6, 2023 is: "Impacted ESG appliances must be immediately replaced regardless of patch version level." [1] "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." [1] REFERENCES [1] Barracuda Email Security Gateway Appliance (ESG) Vulnerability https://www.barracuda.com/company/legal/esg-vulnerability [2] Barracuda says hacked ESG appliances must be replaced immediately https://www.bleepingcomputer.com/news/security/barracuda-says-hacked-esg-appliances-must-be-replaced-immediately/ [3] CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZIKlY8kNZI30y1K9AQhJDA//adeMvDL064JUAOlReZ86lINMrQ29TaDC 8z2+9voISJ0aEhtZTiHElAUOe7BDXXMzUHQ1r+v6EjxJjxoGA6cKlLpcYex6cVnY 5zQFcBIZ4vXPsEUkUk3DmnfqgTAgEsH41PwzUC8b0zKsk/OkFWVuMwmmUnWQd1Zg eX8VglD63kUQguRr7mlj8ZIiBkB0Mam+jNH7DWQP45O9BbISvZFiukOo19ScqVcg diy4nQJpKbNwU8uOb5BQ7fPbjH5KO73FOtUCk6ROUkD//a8mpW5VwxZLVIzxp0jd 3NiDs8TJUcLYd8mx2IUvWd8kwLrZQatR8L/YV3Nu4MOqOnQRaIzvCKROcO5osRTP xRheK8/BHZIBFV3hDMLHx4whoQNk39py2rKnRq9viu80nns/2MJdOJjn4bM2fJVl NcHRFbZ/1PNLZEit5805kQjAkYsLJlOzookwHcki6Hcl8O75b65xpy0EiW+zajE4 fA+UFl7YfrCOUQi9iG7Sq/R/U57nCZi0M2STycRrpYNIvB3OpVDjyNHfaP4c/JZs q2QjwSAmldZ6HfGOAK1sTnr6RSR2gpV675cIEF7E5IDUCN+TIZYvskUHjjB++RrD F5/ExbfTod3AX/PvwE6ZQiccWQRm6QlACSFYd5wEfDkFq+0TC28KWGbWUr4HL+UW 3UhIjO0ecF8= =HimC -----END PGP SIGNATURE-----