beebright - stock.adobe.com
Researchers ‘break’ rule designed to guard against Barracuda vulnerability
Vectra AI researchers found that a Suricata rule designed to detect exploitation of a dangerous Barracuda Email Security Gateway flaw was not entirely effective
Researchers at Vectra AI, a supplier of threat detection and response services, have warned of the importance of taking a less rigid and more dynamic approach to managing zero-day exploitation following disclosure, after they were able to break a Proofpoint-developed Suricata rule designed to detect exploitation of a flaw in Barracuda Networks’ Email Security Gateway (ESG) appliances.
The existence of CVE-2023-2868, a remote command injection vulnerability leading to remote code execution (RCE) present in a highly limited subset of ESG appliances, was disclosed in May by Barracuda – but not before it was exploited for several months by a Chinese state threat actor.
In a somewhat embarrassing development, the first patch issued by Barracuda was determined to be ineffective, resulting in an unfortunate situation whereby owners of affected appliances had to be told to get rid of them and seek a replacement, irrespective of whether or not they were patched.
Despite this, said Vectra AI’s Quentin Olagne, the Emerging Threat team at Proofpoint subsequently released a Suricata detection rule (SID 2046280) designed to detect attempted exploitation of CVE-2023-2868.
Some time later, said Olagne, a Vectra AI client raised a concern about this rule with the firm, after finding evidence that it may not be performing as it should do.
“[We] found the rule failed to alert on a specific proof-of-concept exploit, despite successful delivery of the exploit payload,” wrote Olagne.
“We analysed the rule and related exploit and identified the specific detection gap, which was caused by a non-deterministic ordering of exploit-related content within the exploit payload.
“With the gap identified, we were able to rewrite a rule to provide the necessary detection coverage, [and] after submitting our findings to Proofpoint’s Emerging Threats team, they released a new M2 detection rule,” he wrote.
Olagne explained that the original rule was flawed thanks to a presumption that everybody follows the rules, even threat actors.
CVE-2023-2868 stemmed from the incomplete input validation of a user supplier .TAR archive file as that pertains to the names of the files within said archive. As such, specially crafted file names could result in a situation where the attacker could execute a system command with ESG privileges.
In the course of Vectra AI’s research, Olagne found a further-manipulated .TAR archive that could still slip a payload past the Proofpoint rule because the author of the exploit didn’t follow the expected rules.
A .TAR archive generated in the normal way follows certain standard conventions and rules that determines the file names and their order in the archive – it was these file names that were exploited in the original attacks by, in effect, turning them into malicious commands.
If, said Olagne, the exploit author gets “a bit crafty” with the underlying code, they can sneak these commands past the Proofpoint Suricata rule by putting them not in the file name itself, but the header.
The rule is therefore not triggered, because these headers are non-deterministic to the original rule. In layman’s terms, the detection rule is looking in the wrong place, so it misses vital clues and the attack continues.
A (mostly) happy ending
After Vectra AI reported this rule bypass to Proofpoint, a revised Suricata rule was published at the end of September – this is SID 2048146. And as users of the affected appliances should by now have obtained unaffected replacements from Barracuda, it is probably unlikely that this exploit bypass was ever used maliciously.
However, said Olagne, it is important to draw attention to the issue as a demonstration that “relying solely on fixed rules and standards has its limitations in the ever-evolving landscape of cyber security”.
“Through this analysis, we have witnessed a prime example of the limitations of this approach, via the manipulation of a TAR archive structure that allowed a payload to slip past [Proofpoint] ET's initial detection for CVE-2023-2868. This event underscores the urgency of adopting a more adaptable and dynamic security strategy,” he wrote.
“As we look to tomorrow, it is imperative to shift our focus away from rigidity and embrace a more holistic, proactive security paradigm. Instead of merely pondering the odds of another rule breach, we should actively strive to enhance our cyber security measures by constantly evolving our detection and defence mechanisms.”
“By acknowledging the limitations of fixed rules, we can better prepare for an uncertain future where cyber threats continually evolve. In doing so, we can strengthen our security posture and better protect against malicious actors who persistently seek to bypass the rules,” he concluded.
Timeline of CVE-2023-2868
- 23/4 May 2023: Barracuda Networks said threat actors exploited the zero-day to gain ‘unauthorised access to a subset of email gateway appliances’, though it did not say how many.
- 31 May: Barracuda said a zero-day flaw used to target its email security gateway appliance customers is a remote command injection vulnerability exploited since at least October 2022.
- 9 June: Owners of Barracuda Email Security Gateway appliances are being told that they will need to throw out and replace their kit after it emerged that a patch for a recently disclosed vulnerability had not done the job.
- 15 June: Intelligence from Mandiant links exploitation of a flaw in a subset of Barracuda ESG appliances to a previously untracked China-nexus threat actor.
- 28 July: CISA said that Submarine is a novel persistent backdoor used in attacks against Barracuda Email Security Gateway appliances vulnerable to CVE-2023-2868.
- 24 August: FBI alert comes after Barracuda Networks issued an advisory stating that patches for CVE-2023-2868 were insufficient and all affected ESG devices need to be replaced.
