Hacker

Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability.

On Friday, May 19, a vulnerability was discovered in the email attachment scanning module. The issue was addressed by applying two security patches on May 20 and 21.

While the flaw was patched over the weekend, Barracuda warned on Tuesday that some of its customers' ESG appliances were compromised by exploiting the now-patched security bug.

"Based on our investigation to date, we've identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances," the company said.

"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers."

The company's other products, including SaaS email security services, were unaffected by this vulnerability.

Customers asked to check networks for intrusions

Barracuda said the investigation was limited to its ESG product and not the customers' corporate networks. Therefore, the company advises impacted organizations to review their environments to confirm the threat actors did not spread to other devices on the network.

"If a customer has not received notice from us via the ESG user interface, we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take," Barracuda told BleepingComputer.

A spokesperson for Barracuda didn't reply to a subsequent email asking for more details regarding the number of affected customers or if their data was impacted after their ESG appliances were breached.

Today, Barracuda also addressed a login issue affecting Email Gateway Defense (EGD) appliances and a buggy spam scoring rule that led to customer emails being blocked incorrectly.

Barracuda says its enterprise-grade security solutions are now used by over 200,000 organizations worldwide, including Samsung, Mitsubishi, Kraft Heinz, Delta Airlines, and other high-profile companies.


Update May 25, 13:45 EDT: The vulnerability, a critical remote command injection flaw in the Barracuda Email Security Gateway (appliance form factor only), is now tracked as CVE-2023-2868.

"The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive," according to the flaw's CVE entry.

"As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product."

Related Articles:

AnyCubic fixes exploited 3D printer zero day flaw with new firmware

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Lazarus hackers exploited Windows zero-day to gain Kernel privileges

Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws

Google says spyware vendors behind most zero-days it discovers