Barracuda network appliance vulnerability “actively exploited” for seven months

Digital security padlock with encrypted binary code on futuristic circuit board
(Image credit: Getty Images)

A critical vulnerability discovered in Barracuda Networks devices may have been actively exploited for seven months, the company has revealed. 

The security firm said the flaw, which was first discovered in May, affected its Email Security Gateway (ESG) appliance and was patched after an initial investigation. 

This week, however,  analysis of the vulnerability revealed it had been actively exploited for several months before the patch was issued. 

Barracuda Networks said the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022”.

In its advisory, the firm said the vulnerability stemmed from “incomplete input validation” of user-supplied .tar files. 

RELATED RESOURCE

Whitepaper cover with title over solid purple circle graphics

(Image credit: Trend Micro)

Quantifying the public vulnerability market: 2022 edition

An analysis of vulnerability disclosures, impact severity, and product analysis

DOWNLOAD FOR FREE

The flaw meant that a remote attacker could format file names in a deliberate manner to remotely execute a system command through Perl’s gx operator. 

The investigation also revealed that a third party exploited this to gain unauthorized access to a subset of ESG appliances. 

“Barracuda's investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances,” the firm said in its advisory. 

Malware was identified on this subset of appliances, Barracuda revealed, which would allow for persistent backdoor access. In addition, the company said it uncovered evidence of data exfiltration on impacted appliances.  

Two specific malware strains were highlighted by Barracuda during a post-mortem analysis of the incident. This included SALTWATER, a trojanized module for the Barracuda SMTP daemon that contains backdoor functionality.

SALTWATER enables threat actors to upload or download arbitrary files and execute commands, as well as proxy and tunneling capabilities, Barracuda said. 

Another type of malware, known as SEASPY, was also identified during the probe led by Barracuda and Mandiant. SEASPY contains backdoor functionality that is activated by a ‘magic pocket’, according to researchers.

“SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP),” the firm said. 

Barracuda engaging with affected customers

Barracuda insisted that no other products were affected by the vulnerability, including its SaaS email security services. 

The company added that customers potentially impacted by the incident have been notified via the ESG user interface, and the company has reached out to specific customers directly. 

Barracuda has around 200,000 customers globally. However, the exact number of those affected by the vulnerability has yet to be determined. 

ITPro approached Barracuda for comment on the matter, but hadn’t received a response at the time of publication. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.