Name of the Vulnerable Software and Affected Versions:

Barracuda Email Security Gateway versions 5.1.3.001 through 9.2.0.006

Description:

A remote command injection vulnerability exists in the Barracuda Email Security Gateway product, affecting versions 5.1.3.001 through 9.2.0.006. The vulnerability arises from a failure to comprehensively sanitize the processing of .tar files, specifically due to incomplete input validation of user-supplied .tar files as it pertains to the names of the files contained within the archive. This allows a remote attacker to format file names in a particular manner, resulting in the remote execution of a system command through Perl's qx operator with the privileges of the Email Security Gateway product. The issue was fixed as part of the BNSF-36456 patch, which was automatically applied to all customer appliances. The vulnerability has been exploited by suspected Chinese hackers, and the FBI has warned that patches for the vulnerability are ineffective. The FBI recommends immediately replacing compromised appliances.

Recommendations:

As a temporary workaround, consider disabling the `bsmtpd` daemon until a patch is available. Restrict access to the vulnerable module `Barracuda Email Security Gateway` to minimize the risk of exploitation. Avoid using the `qx` operator in Perl scripts that handle user-supplied input until the issue is resolved. Immediately replace compromised Barracuda Email Security Gateway appliances, as patches are ineffective against this vulnerability.