On May 20 and May 21, 2023, Barracuda, a prominent provider of email and network security solutions, released software patches for their Email Security Gateway (ESG) software. These updates were developed in response to the discovery of a zero-day vulnerability on May 19, which could potentially grant unauthorized access to Barracuda’s appliances. While the patches successfully address the vulnerability in the ESG software, the company has advised that additional analysis of customers’ environments should be undertaken.
The zero-day vulnerability, assigned CVE-2023-2868, exploits the use of .tar files sent via email. Due to inadequate internal file analysis and a lack of input sanitization, an attacker can exploit this vulnerability to remotely execute code through Perl’s qx operator, leveraging the privileges of the ESG. Barracuda clarified that this flaw specifically affects a module responsible for screening attachments in incoming emails. It is important to note that no other Barracuda products, including their Software-as-a-Service (SaaS) email security services, are susceptible to this vulnerability.
Upon the public disclosure of the exploit, Barracuda promptly released an immediate patch to address the vulnerability. Additionally, a secondary patch was distributed to implement a containment strategy for the issue.
Barracuda has initiated the process of notifying their clients about the vulnerability and conducting a thorough analysis of their product’s appliances for any potential additional vulnerabilities related to this zero-day exploit. Due to the ongoing nature of the investigation, the vendor recommends that clients perform a local analysis to detect any potential compromises. However, users of the ESG have already been provided with clear instructions on recommended actions to mitigate the risks associated with this vulnerability.
My take: it appears that the software’s vulnerability stems from an internal misconfiguration. These types of vulnerabilities are not uncommon, and it is commendable to witness the rapid response from companies in releasing critical patches to address them. While the Proof-of-Concept for this particular issue has not been made public, it piques my curiosity to understand how a .tar file could be structured in a manner that bypasses the software’s input sanitization mechanisms.