Barracuda is urging some customers to replace their Email Security Gateway (ESG) appliances shortly after disclosing that a remote code execution bug in the appliance has been exploited by attackers to enable “persistent backdoor access” for eight months.
Barracuda first discovered the bug (tracked as CVE-2023-2868) on May 19 after being tipped off that anomalous traffic was stemming from ESG appliances. A patch was deployed on May 20, and a second patch deployed on May 21. On June 1, the company warned that attackers had been exploiting the vulnerability since October 2022 in order to obtain unauthorized access to a “subset of ESG appliances,” set up persistent backdoor access and exfiltrate data.
Though Barracuda said that affected customers were notified and patches deployed, on June 6 the company said its remediation recommendation is now full replacement of the impacted ESG appliances. Barracuda did not give further details about why it has updated its recommendation for customers to replace their appliances.
“Impacted ESG appliances must be immediately replaced regardless of patch version level,” according to Barracuda’s advisory. “If you have not replaced your appliance after receiving notice in your UI, contact support now.”
The remote code execution bug, which could allow attackers to gain unauthorized access to vulnerable appliances, affects versions 5.1.3.001-9.2.0.006 of the appliance, and does not affect other Barracuda products, including the SaaS version of the ESG product. It stems from a module that screens the attachments of incoming emails, which does not fully validate the input of user supplied .tar files (as it relates to the file names in the archive).
“Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” according to the advisory. “Barracuda’s investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances.”
After Barracuda worked through incident response with Mandiant, three types of malware were identified as part of these attacks on ESG appliances.
A module for the Barracuda SMTP daemon called Saltwater was discovered. This trojanized module contains backdoor functionality and includes components that enable attackers to upload or download arbitrary files and execute commands. The backdoor also has proxying and tunneling capabilities. Another Barracuda SMTP daemon module called Seaside was found that monitors SMTP commands for a command-and-control (C2) IP address and port, which it then passes on to an external binary that creates a reverse shell. Finally, a backdoor called Seaspy was also discovered, which has code that overlaps with the known, publicly available backdoor cd00r.
“SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP),” according to the advisory. “SEASPY also contains backdoor functionality that is activated by a ‘magic packet.’”
Barracuda said that evidence of data exfiltration was also discovered on certain impacted appliances. ESG is particularly lucrative to attackers because it is deployed across many enterprise businesses, opening them up to attacks targeting sensitive data.
“Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take,” according to the advisory. “Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.”