Barracuda ESG users told to throw away their hardware

Organisations operating Barracuda Networks’ Email Security Gateway (ESG) appliances vulnerable to a bug tracked as CVE-2023-2868 to throw away their hardware, regardless of whether or not they have patched it, and seek a replacement.

Barracuda made a patch available on 20 May having been alerted to dodgy traffic emanating from compromised ESG appliances on 18 May, but it now appears that the patch has proved insufficient.

“Impacted ESG appliances must be immediately replaced regardless of patch-version level,” the organisation said in a statement.

“If you have not replaced your appliance after receiving notice in your UI, contact support now. Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” it said.

First identified and disclosed in May 2023, CVE-2023-2868 is a remote command injection vulnerability present in versions 5.1.3.001 to 9.2.0.006 of physical ESG appliances. It enables an attacker to achieve remote code execution (RCE) with elevated privileges, and the supplier’s investigation has found it has been actively exploited since October 2022.

Aided by Google Cloud’s Mandiant, Barracuda’s investigation determined that the vulnerability was used to obtain unauthorised access to a subset of ESG boxes, onto which two backdoor malwares dubbed Saltwater and Seaspy were placed, followed by a module called Seaside that monitored incoming traffic and established a reverse shell.

The vulnerability proved sufficiently serious for the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalogue, which mandates patching across the US government.

“The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn’t eradicate attacker access,” said Caitlin Condon, senior manager of vulnerability research at Rapid7.

Condon said that there may be as many as 11,000 ESG devices exposed to the public internet, and revealed that Rapid7’s teams had identified significant volumes of malicious activity on a timescale consistent with Barracuda’s assessment – the most recent communication with threat actor infrastructure was observed in May 2023.

She added that in some cases, Rapid7 had observed potential data exfiltration from compromised networks, but that the team had not yet observed any lateral movement taking place from a compromised appliance.

Besides taking the vulnerable devices offline, users are also advised to rotate any credentials that may have been connected to it, including any connected Lightweight Directory Access Protocol/Active Directory, Barracuda Cloud Control, file transfer protocol (FTP) server, server message block (SMB) protocols, and private transport layer security (TLS) certificates.