In a critical cybersecurity development, Barracuda, a well-established provider of email and network security solutions, encountered a security breach. The breach was due to a zero-day vulnerability found in the email attachment scanning module of the company’s Email Security Gateway (ESG) appliances. The vulnerability was identified on May 19 and promptly mitigated by deploying two security patches over the subsequent weekend.
This vulnerability resulted in unauthorized access to a select group of ESG appliances. Affected users have been alerted about the situation and the necessary countermeasures through the ESG user interface and direct communication from the company.
It is important to note that Barracuda’s investigation remained confined to the ESG product and did not implicate customers’ corporate networks. Nevertheless, the company has urged impacted organizations to scrutinize their networks to ensure the threat has not extended to other devices.
The vulnerability did not impact other products from Barracuda, including its SaaS email security services. While information regarding the total number of affected customers or the extent of the impact on their data is not available, it is clear that users who have not received a notification via the ESG user interface are not likely to have been affected.
In addition to this, Barracuda also rectified a login issue affecting Email Gateway Defense (EGD) appliances and a glitch in a spam scoring rule that was incorrectly blocking customer emails.
Barracuda’s enterprise-level security solutions are used by over 200,000 organizations worldwide, including globally recognized companies.
The vulnerability now tracked as CVE-2023-2868, is a critical remote command injection flaw specific to the Barracuda Email Security Gateway. It arose from a failure to thoroughly sanitize the processing of .tar files. Consequently, a remote attacker could exploit this flaw by formatting file names in a specific manner to execute a system command with the privileges of the Email Security Gateway product.