Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical actively exploited Remote Code Execution Vulnerability affects Barracuda Email Security Gateway appliances, Verify and check asap!
Image
Published : 01/06/2023
Reference:
Advisory #2023-64
Version:
1.0
Affected software:
Barracuda Email Security Gateway (ESG) appliances
Type:
Remote Command Execution (RCE)
CVE/CVSS:
CVE-2023-2868 CVSS:9.4
Sources
https://www.barracuda.com/company/legal/esg-vulnerability
https://status.barracuda.com/incidents/34kx82j5n4q9
Risks
Successful exploitation of CVE-2023-2868 could allow an attacker to execute commands on the appliance on an affected device. This access could be used for data exfiltration or possible lateral movement inside the network.
CVE-2023-2868 has a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).
Active exploitation was observed by Barracuda, Vigilance is required.
Description
On May 19th Barracuda identified CVE-2023-2868, a Remote Code Execution vulnerability on their Email Security Gateway (ESG) appliances. Barracuda has determined an exploit was used to gain unauthorized access to some ESG appliances. On an affected system Barracuda found backdoor malware, and evidence of data exfiltration. The vulnerability affects the ESG appliances of Barracuda, other barracuda systems are not affected by this vulnerability.
The vulnerability is triggered from an incomplete input validation on user supplied .tar files. An attacker could format filenames in a certain manner to trigger a system command to execute on the device.
Recommended Actions
Barracuda ESG appliances should be automatically updated. Barracuda notified organisations that are possibly vulnerable for CVE-2023-2868 via the ESG interface.
The Centre for Cyber security Belgium strongly recommends system administrators to check their Barracuda ESG appliances if they received a notification about possible exploitation and check if their appliance is running the latest software version.
The Centre for Cyber security Belgium strongly recommends system administrators to scan their infrastructure for the disclosed Indicators of Compromise for evidence of exploitation attempts such as the tar file, or data exfiltration to the mentioned C2 addresses. Indicators are available in the vulnerability disclosure report from Barracuda: https://www.barracuda.com/company/legal/esg-vulnerability
References
https://nvd.nist.gov/vuln/detail/CVE-2023-2868
https://www.cisa.gov/news-events/alerts/2023/05/26/cisa-adds-one-knownexploited-vulnerability-catalog