Warning: Critical actively exploited Remote Code Execution Vulnerability affects Barracuda Email Security Gateway appliances, Verify and check asap!
Successful exploitation of CVE-2023-2868 could allow an attacker to execute commands on the appliance on an affected device. This access could be used for data exfiltration or possible lateral movement inside the network.
CVE-2023-2868 has a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).
Active exploitation was observed by Barracuda, Vigilance is required.
On May 19th Barracuda identified CVE-2023-2868, a Remote Code Execution vulnerability on their Email Security Gateway (ESG) appliances. Barracuda has determined an exploit was used to gain unauthorized access to some ESG appliances. On an affected system Barracuda found backdoor malware, and evidence of data exfiltration. The vulnerability affects the ESG appliances of Barracuda, other barracuda systems are not affected by this vulnerability.
The vulnerability is triggered from an incomplete input validation on user supplied .tar files. An attacker could format filenames in a certain manner to trigger a system command to execute on the device.
Barracuda ESG appliances should be automatically updated. Barracuda notified organisations that are possibly vulnerable for CVE-2023-2868 via the ESG interface.
The Centre for Cyber security Belgium strongly recommends system administrators to check their Barracuda ESG appliances if they received a notification about possible exploitation and check if their appliance is running the latest software version.
The Centre for Cyber security Belgium strongly recommends system administrators to scan their infrastructure for the disclosed Indicators of Compromise for evidence of exploitation attempts such as the tar file, or data exfiltration to the mentioned C2 addresses. Indicators are available in the vulnerability disclosure report from Barracuda: https://www.barracuda.com/company/legal/esg-vulnerability