CVE-2023-2868: 
Barracuda Email Security Gateway vulnerability analysis and mitigation

CVE-2023-2868 is a critical remote command injection vulnerability discovered in the Barracuda Email Security Gateway (ESG) appliance form factor affecting versions 5.1.3.001-9.2.0.006. The vulnerability was identified on May 19, 2023, though it had been exploited as a zero-day since October 2022. The vulnerability stems from incomplete input validation of user-supplied .tar files, specifically in the processing of file names contained within these archives (NVD, Barracuda Status).

The vulnerability exists in a module that performs initial screening of email attachments. The security flaw arises from improper sanitization of .tar file (tape archives) processing, where file names within the archive are not properly validated. An attacker can specifically format these file names to execute system commands through Perl's qx operator with the privileges of the Email Security Gateway product. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) (NVD, Rapid7 Blog).

The vulnerability resulted in unauthorized access to a subset of ESG appliances. When exploited, it allows remote attackers to execute system commands with the privileges of the Email Security Gateway product. The impact was severe enough that Barracuda and the FBI recommended complete replacement of affected devices, regardless of patch level, indicating that the compromise was persistent and could not be remediated through software updates alone (Tenable Blog).

Initially, Barracuda released a security patch (version 9.2.0.008) on May 20, 2023, followed by a second patch on May 21, 2023. However, these patches were later deemed ineffective by the FBI. The current recommendation from both Barracuda and the FBI is to immediately decommission and replace ALL impacted ESG physical appliances, regardless of patch level. Customers are also advised to rotate any credentials connected to the ESG appliance, including LDAP/AD, Barracuda Cloud Control, FTP Server, SMB, and private TLS certificates (Barracuda Status, Tenable Blog).

The severity of this vulnerability prompted unprecedented recommendations from both the vendor and the FBI for complete hardware replacement, highlighting the serious nature of the compromise. The incident gained significant attention in the cybersecurity community, particularly due to the involvement of a state-sponsored threat actor and the inability to remediate the issue through traditional patching (Tenable Blog).