A critical zero-day flaw affecting Barracuda Networks' email security gateway appliance had been exploited for months prior to its discovery, according to a Tuesday update by the network security vendor.
Barracuda first disclosed the flaw, tracked as CVE-2023-2868, via a five-paragraph advisory on May 23. At the time, Barracuda did not detail the flaw beyond saying it "existed in a module which initially screens the attachments of incoming emails" and that only the company's email security gateway (ESG) customers were affected.
Barracuda published an update to its initial security advisory Tuesday, which provided significant new details regarding the flaw, including a timeline and indicators of compromise. According to the update, Barracuda engaged incident response firm Mandiant, a Google Cloud subsidiary, as soon as anomalous traffic was first discovered on May 18.
Based on the investigation, Barracuda said the flaw is a remote command injection vulnerability present in Barracuda ESG versions 5.1.3.001 through 9.2.0.006.
"The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive," the update read. "Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product."
The investigation also uncovered that an unnamed threat actor exploited the flaw to gain access to "a subset of ESG appliances" and deployed three types of malware: "Saltwater," a Trojanized module with backdoor functionality; "Seaspy," a persistence backdoor that poses as a legitimate Barracuda service; and "Seaside," a Lua-based module used for command and control. Additional technical details are available in the update.
Barracuda and Mandiant found that the earliest evidence of exploitation for CVE-2023-2868 was October 2022, approximately seven months before Barracuda became aware of it. The investigation also found evidence of data exfiltration on a subset of ESG appliances, and Barracuda said those customers have been notified via the ESG user interface.
It's unclear how many ESG customers were affected by the zero-day attacks or what data might have been exfiltrated from customer environments. TechTarget Editorial asked Barracuda for comment on the findings, but the vendor declined.
For customers affected by the vulnerability, Barracuda advises ensuring relevant ESG appliances are receiving and applying updates, as initial patches for the flaw were released on May 20 and 21. If a device is compromised, Barracuda recommends discontinuing use of the ESG and contacting the company for a virtual or hardware replacement. Lastly, the vendor recommends rotating relevant credentials and reviewing network logs. A series of Yara rules is also available in the update.
Alexander Culafi is a writer, journalist and podcaster based in Boston.