Executive Summary

CVE-2023-2868 is a critical remote command injection vulnerability affecting the Barracuda Email Security Gateway (ESG) appliance. This vulnerability has been actively exploited in the wild, leading to unauthorized access and potential full system compromise. The vulnerability is due to improper handling and sanitization of .tar file attachments, allowing attackers to execute arbitrary commands on the affected systems. The Chinese cyber threat group UNC4841 has been exploiting this vulnerability since October 2022, targeting sectors across the United States, China, Hong Kong, Japan, South Africa, Germany, Brazil, Malaysia, Singapore, and more.

Technical Information

CVE-2023-2868 is a remote command injection vulnerability in the Barracuda Email Security Gateway (ESG) appliance, affecting versions 5.1.3.001 to 9.2.0.006. The vulnerability arises from incomplete input validation of user-supplied .tar files, specifically the names of the files contained within the archive. A remote attacker can format these file names in a particular manner to execute system commands through Perl's

The attack vector is network-based, requiring no user interaction or privileges, making it highly exploitable. The vulnerability allows for high confidentiality, integrity, and availability impacts, leading to potential full system compromise.

The vulnerability has been actively exploited by the Chinese cyber threat group UNC4841 since October 2022. The attackers have used this vulnerability to gain unauthorized access to a subset of ESG appliances, deploying malware and potentially compromising sensitive data.

Exploitation in the Wild

The exploitation of CVE-2023-2868 has been observed in the wild, with specific usage by the Chinese cyber threat group UNC4841. The attackers have deployed various malware on compromised ESG appliances, including SALTWATER, SEASPY, and SEASIDE.

SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. It allows attackers to upload/download files, execute commands, and proxy/tunnel traffic. The malware has been identified on compromised ESG appliances with the following indicators of compromise (IOCs):

• File Path: /home/product/code/firmware/current/lib/smtp/modules
• SHA256: 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4
• MD5: 827d507aa3bde0ef903ca5dec60cdec8
• File Type: ELF x86
• Size: 1,879,643 bytes

SEASPY is an x64 ELF persistence backdoor posing as a legitimate Barracuda service, monitoring traffic on port 25 (SMTP) and port 587. It is activated by a "magic packet" and has the following IOCs:

• File Path: /sbin/
• SHA256: 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115
• MD5: 4ca4f582418b2cc0626700511a6315c0
• File Type: ELF x64
• Size: 2,924,217 bytes

SEASIDE is a Lua-based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a C2 IP address and port, passing them to an external binary to establish a reverse shell. The IOCs for SEASIDE are:

• SHA256: fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8
• MD5: cd2813f0260d63ad5adf0446253c2172
• File Type: Lua module
• Size: 2,724 bytes

APT Groups using this vulnerability

The Chinese cyber threat group UNC4841 has been identified as the primary actor exploiting CVE-2023-2868. This group has been active since October 2022, targeting sectors across various countries, including the United States, China, Hong Kong, Japan, South Africa, Germany, Brazil, Malaysia, and Singapore.

Affected Product Versions

The affected product versions for CVE-2023-2868 are Barracuda ESG versions 5.1.3.001 to 9.2.0.006. Organizations using these versions are at risk and should take immediate action to mitigate the vulnerability.

Workaround and Mitigation

Barracuda has released a patch (BNSF-36456) to address this vulnerability. The patch was automatically applied to all customer appliances. It is crucial for organizations using Barracuda ESG appliances to ensure that their systems are updated to the latest version to mitigate this vulnerability.

Recommendations for Impacted Customers

Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support (support@barracuda.com) to validate if the appliance is up to date. Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance. Rotate any applicable credentials connected to the ESG appliance, including any connected LDAP/AD, Barracuda Cloud Control, FTP Server, SMB, and any private TLS certificates. Review your network logs for any of the IOCs listed and any unknown IPs. Contact compliance@barracuda.com if any are identified.

References

NVD - CVE-2023-2868 (https://nvd.nist.gov/vuln/detail/CVE-2023-2868) Barracuda ESG Vulnerability Advisory (https://www.barracuda.com/company/legal/esg-vulnerability) CISA Alert on Malicious Barracuda Activity (https://www.cisa.gov/news-events/alerts/2023/08/29/cisa-releases-iocs-associated-malicious-barracuda-activity) Rapid7 Blog on CVE-2023-2868 (https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-compromise-of-physical-barracuda-esg-appliances/) Picus Security Blog on CVE-2023-2868 (https://www.picussecurity.com/resource/blog/cve-2023-2868-barracuda-esg-vulnerability-actively-exploited-by-unc4841)

Rescana is here for you

At Rescana, we understand the critical importance of safeguarding your digital assets. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities in real-time. We are committed to providing you with the tools and insights needed to stay ahead of emerging threats. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.