cbcvebase.
CVE-2023-2868
published 2023-05-24

CVE-2023-2868: A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-06-16
Exploited in the wild
EPSS
86.96%
99.7th percentile
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

Affected

6 ranges
VendorProductVersion rangeFixed in
barracudabarracuda_email_security_gateway>= 5.1.3.001 < 9.2.0.0069.2.0.006
barracudaemail_security_gateway_300_firmware5.1.3.001 – 9.2.0.006
barracudaemail_security_gateway_400_firmware5.1.3.001 – 9.2.0.006
barracudaemail_security_gateway_600_firmware5.1.3.001 – 9.2.0.006
barracudaemail_security_gateway_800_firmware5.1.3.001 – 9.2.0.006
barracudaemail_security_gateway_900_firmware5.1.3.001 – 9.2.0.006

Detection & IOCsextracted from sources · hover to see the quote

processPerl qx operator used for command injection via TAR filename
pathlinux/smtp/barracuda_esg_tarfile_rce
  • Inspect TAR attachment filenames for backtick or shell metacharacter injection sequences; the vulnerability is triggered by specially crafted filenames within .tar archives processed by the ESG appliance via Perl's qx operator.
  • Monitor Barracuda ESG appliances for unusual outbound traffic or unexpected process execution; exploitation was observed as early as October 2022, months before discovery.
  • Check ESG appliance UI for compromise notifications; Barracuda stated that appliances displaying a notification had indicators of compromise.
  • Review network and endpoint indicators released by Barracuda covering activity back to at least October 2022 for signs of compromise by UNC4841 (China-nexus threat actor).
  • The CISA published additional IoCs associated with exploitation of CVE-2023-2868; consult CISA advisories for supplementary network and host-based indicators.
  • ·Affected version range is 5.1.3.001 through 9.2.0.006 (appliance form factor only); SaaS email solutions were not impacted.
  • ·Rotate all credentials connected to affected ESG appliances as part of incident response, in addition to device replacement.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.4CRITICAL
cisa9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.