Barracuda tells its ESG owners to 'immediately' junk buggy kit
That patch we issued? Yeah, it wasn't enough
Barracuda has now told customers to "immediately" replace infected Email Security Gateway (ESG) appliances — even if they have received a patch to fix a critical bug under exploit.
The vendor disclosed the remote command injection bug, tracked as CVE-2023-2868 flaw last week, which affects versions 5.1.3.001 to 9.2.0.006 of the ESG appliance range. But it can, and has, been abused to run remote commands on targeted equipment and deploy data-stealing spyware on the boxes.
Barracuda pushed a patch to all affected products the day after discovering the issue, but that wasn't quick enough. Criminals had been exploiting the vulnerability for at least seven months before the fix.
On Tuesday, the security shop added an "action notice" to the ESG vulnerability alert, recommending "full replacement" of the compromised products:
Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (firstname.lastname@example.org).
Barracuda's remediation recommendation at this time is full replacement of the impacted ESG.
Barracuda did not immediately respond to The Register's questions about why customers need to replace patched appliances, and who is responsible for the intrusions.
The vendor's earlier security advisory lists indicators of compromise and details the three types of malware that miscreants deployed on compromised devices. This includes backdoor dubbed Saltwater for uploading and downloading files, and executing commands. It also included proxy and tunneling capabilities.
Rapid7 estimates there to be about 11,000 Barracuda ESG appliances on the internet, based on the Barracuda Networks Spam Firewall SMTP daemon. "Notably, if other Barracuda appliances also run this service, that number may be inflated," the security shop warned in an advisory today.
- Barracuda Email Security Gateways bitten by data thieves
- Clop ransomware crew sets June extortion deadline for MOVEit victims
- Qbot malware adapts to live another day … and another …
- Toyota admits to yet another cloud leak
Its threat hunting team also spotted malicious activity targeting the appliances "as far back as November 2022," including at least one case where the attackers appeared to steal data after compromising the device. "We have not yet observed any lateral movement from a compromised appliance," Rapid7 noted.