Barracuda ESG appliances impacted by CVE-2023-2868 must be immediately replaced

Barracuda warns customers to immediately replace Email Security Gateway (ESG) appliances impacted by the flaw CVE-2023-2868.

At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.

The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21

The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.

The vulnerability doesn’t impact other Barracuda products, the company states that its SaaS email security services is not affected by this issue.

The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.

On May 30, 2023, the vendor provided a Preliminary Summary of Key Findings related to its investigation that includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers.

As per the vendor’s statement, the flaw has been exploited in real-world scenarios, with incidents dating back to October 2022 at the very least.

“Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” reads the update provided by the company.

Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.

The company confirmed that the CVE-2023-2868 was first exploited in October 2022.

The families of malware employed in the attacks are:

• SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
• SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
• SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.

Now the company is urging customers to immediately replace the ESG appliances, regardless of patch version level.

“Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).” urges the company. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”

On May 28, US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Barracuda)