Tuesday, December 24, 2024
HomeCyber Security NewsExploit Released For Barracuda Shell Command Injection Vulnerability

Exploit Released For Barracuda Shell Command Injection Vulnerability

Published on

SIEM as a Service

The Barracuda Email Security Gateway (ESG) appliance has a remote command injection vulnerability that affects versions 5.1.3.001–9.2.0.006.

This vulnerability was identified to be CVE-2023-2868, with a CVSS score of 9.8. It has been actively exploited since October 2022.

The flaw stems from a failure to comprehensively sanitize the processing of .tar files (tape archives).

- Advertisement - SIEM as a Service

Incomplete input validation of a user-supplied[.]tar file concerning the files’ names inside the archive leads to the vulnerability.

As a result, a remote attacker can construct these file names to enable remote system command execution using Perl’s qx operator and the Email Security Gateway product’s capabilities. 

As part of the BNSF-36456 patch, this problem was resolved. All appliances owned by customers had this patch deployed automatically.

Exploit For Barracuda Flaw

According to the Rapid7 reports, researchers used secondhand Barracuda ESG 300 with firmware version 8.0.1.001 for analysis. They quickly verified successful command execution against the actual device using ping and dig commands using the PoC and some basic fuzzing. 

They instantly validated that these commands functioned by using dnschef and wireshark on all traffic! The following payload, which was also stated in the Mandiant alert, was utilized to obtain shell access:

“We found references to amavisd in the filesystem. amavisd is part of amavisd-new, an interface between mailers and content checkers such as virus scanners (and the source of several Zimbra vulnerabilities last year, including the exploits for CVE-2022-30333 and CVE-2022-41352”, says the report.

All this, according to researchers, is crucial for processing .tar files.

Code Snippet of Perl file

Barracuda ESG is a service that filters inbound and outgoing emails while also securing customer data. ESG can be implemented as a physical or virtual appliance and on the public cloud on AWS or Microsoft Azure.

Barracuda has provided a comprehensive overview of the issue thus far, including significant signs of penetration, new vulnerability details, and details on the backdoored module for Barracuda’s SMTP daemon.

Reports say that based on a known ESG appliance that runs the “Barracuda Networks Spam Firewall” SMTP daemon, it looked to be around 11,000 appliances on the internet as of June 8 (Barracuda Networks Spam Firewall smtpd).

Hence, Barracuda Email Security Gateway users who have physical appliances should immediately update to the newest firmware.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...