Barracuda discloses zero-day flaw affecting ESG appliances

Barracuda Networks said threat actors exploited the zero-day to gain 'unauthorized access to a subset of email gateway appliances,' though it did not say how many.

Barracuda Networks on Tuesday disclosed a zero-day vulnerability that has been used in attacks against its email security gateway appliance customers.

Barracuda disclosed the flaw in its email security gateway (ESG) product via a five-paragraph advisory on its website. According to the advisory, the network security vendor discovered the flaw on May 19 before releasing patches on May 20 and 21.

Barracuda did not detail the nature of the vulnerability, tracked as CVE-2023-2868, in the advisory beyond saying the flaw "existed in a module which initially screens the attachments of incoming emails" and that no other Barracuda product is subject to the flaw. In its webpage dedicated to the vulnerability, NIST described an input validation issue for user-supplied TAR files that can allow unauthorized users to gain remote access.

Barracuda said it immediately began to investigate the vulnerability and found that the flaw "resulted in unauthorized access to a subset of email gateway appliances."

"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers," the advisory read. "Barracuda's investigation was limited to the ESG product, and not the customer's specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take."

TechTarget Editorial contacted Barracuda Networks to ask about the number of customers affected and the nature of the vulnerability, but the vendor declined to comment. Instead, a spokesperson shared a statement that reiterated key details of the advisory and provided some additional details.

The statement clarified that a "small subset" of appliances were affected rather than a "subset" like the public-facing advisory claimed. The statement also said the May 21 patch was a "mitigating measure" to address indicators of potential compromise found up to that point, and that if a customer had not received a notice via the ESG user interface, Barracuda has "no reason to believe their environment has been impacted at this time and there are no actions for the customer to take."

The full statement read as follows:

Barracuda recently became aware of a security incident impacting our Email Security Gateway appliance (ESG). The incident resulted from a previously unknown vulnerability in our ESG. A security patch to address the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023. Based on our investigation to date, we've identified unauthorized access affecting a small subset of appliances. As a mitigating measure, all appliances received a second patch on May 21, 2023, addressing the indicators of potential compromise identified to date. We have reached out to the specific customers whose appliances are believed to be impacted at this time. If a customer has not received notice from us via the ESG user interface, we have no reason to believe their environment has been impacted at this time and there are no actions for the customer to take. We thank you for your understanding and support as we work through this issue and sincerely apologize for any inconvenience it may cause.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities