Barracuda: Replace vulnerable ESG devices 'immediately'

Barracuda Networks said patches for a critical zero-day vulnerability in its email security gateway appliance are insufficient and the devices must be replaced entirely. However, the replacement process remains unclear.

The vendor warning comes two weeks after Barracuda initially disclosed the remote command injection vulnerability tracked as CVE-2023-2868. An incident response investigation with Mandiant revealed that data exfiltration had occurred and malware containing a backdoor was installed on some email security gateway (ESG) devices. The investigation also found that the zero-day had been exploited as far back as October 2022.

While Barracuda released a first patch on May 20 and a second on May 21, the vendor issued an action notice on June 6 urging affected customers to replace their devices "immediately." It's been two days since the advisory update, but the vendor has not provided any guidance.

"Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now," Barracuda wrote in the action notice. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG."

The vendor did not address how customers are supposed to replace the products or where financial responsibility lies. In addition, it did not specify problems with the released patches or explain why the hardware products need to be replaced.

Barracuda did not respond to requests for comment at press time.

UPDATE 6/9: Barracuda sent the following statement to TechTarget Editorial:

"An ESG product vulnerability allowed a threat actor to gain access to and install malware on a small subset of ESG appliances. On May 20, 2023, Barracuda deployed a patch to ESG appliances to remediate the vulnerability. Not all ESG appliances were compromised, and no other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability.

As of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability. Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.

We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident. 

Barracuda's guidance remains consistent for customers. Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance. If a customer received the User Interface notification or has been contacted by a Barracuda Technical Support Representative, the customer should contact [email protected] to replace the ESG appliance. Barracuda is providing the replacement product to impacted customer at no cost.

If you have questions on the vulnerability or incident, please contact [email protected]. Please note that our investigation is ongoing, and we are only sharing verified information. Barracuda has engaged and continues to work closely with Mandiant, leading global cyber security experts, in this ongoing investigation. We will provide updates as we have more information to share."

UPDATE 6/9: In a blog post Thursday, Caitlin Condon, vulnerability research manager at Rapid7, said Barracuda's call to replace all affected ESG devices indicates the grave situation for the vendor. "The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldn't eradicate attacker access," she wrote in the blog.

Condon told TechTarget Editorial she's never heard of a situation like this before.

In the blog post, she also said Rapid7conducted incident response investigations that found exploitation of CVE-2023-2868 began as early as November 2022 and as recently as May. In one case, the vendor also observed potential data exfiltration. Rapid7 also scanned for ESG appliances using "Barracuda Networks Spam Firewall SMPT daemon" and said there may be 11,000 such appliances on the internet. However, Condon noted other Barracuda appliances may run the same service, which would inflate the numbers.

According to the vendor's website, Barracuda's limited warranty for all products covers hardware products for one year for "defects in materials and workmanship." The software warranty is applicable for 90 days and states that the product will be at the time of delivery "free from what are commonly defined as viruses, worms, spyware, malware and other malicious code that may potentially hamper performance."

The flaw, which received a CVSS rank of 9.8, affects Barracuda ESG versions 5.1.3.001 through 9.2.0.006. Exploitation could allow a remote attacker to format file names and eventually gain ESG product privileges.

It's unclear how many affected ESG products are in use. Barracuda ESG customers are located across the globe and include organizations in government, financial, healthcare and education sectors.

Arielle Waldman is a Boston-based reporter covering enterprise security news.