CVE-2023-2868

Name of the Vulnerable Software and Affected Versions Barracuda Email Security Gateway (ESG) versions 5.1.3.001 through 9.2.0.006

Description A remote command injection issue exists in the Barracuda Email Security Gateway (ESG) appliance. The root cause is a failure to properly sanitize user-supplied .tar files, specifically the names of files within the archive. This allows a remote attacker to execute system commands through Perl’s qx operator with the privileges of the ESG product. The vulnerability has been exploited by the UNC4841 threat actor, suspected of ties to China, who have deployed malware such as SUBMARINE, SKIPJACK, DEPTHCHARGE, and FOXTROT. The FBI has warned that patches released for this vulnerability are ineffective, and compromised appliances, even those that have been patched, remain at risk. The exploitation of this vulnerability has been observed globally, with evidence of data theft and the installation of backdoors. The initial exploitation was detected as early as October 2022. The malware, including SALTWATER, SEASPY, and SEASIDE, allows for persistent access and network traffic monitoring.

Recommendations Replace all affected Barracuda ESG appliances immediately, regardless of patch level.