Barracuda Networks announced the need to physically replace ESG (Email Security Gateway) devices affected by malware as a result of a 0-day vulnerability in the email attachment handling module. It is reported that previously released patches are not enough to block the installation problem. Details are not given, but the decision to replace the hardware is presumably due to an attack that installed malware at a low level and could not be removed by flashing or factory resetting. The equipment will be replaced free of charge, but compensation for the cost of delivery and replacement work is not specified.
ESG is a hardware and software package for protecting enterprise email from attacks, spam and viruses. On May 18, anomalous traffic from ESG devices was detected, which turned out to be associated with malicious activity. The analysis showed that the devices were compromised using an unpatched (0-day) vulnerability (CVE-2023-28681), which allows you to execute your code by sending a specially crafted email. The problem was caused by the lack of proper validation of filenames inside tar archives sent as email attachments, and allowed arbitrary command to be executed on an elevated system, bypassing escaping when executing code via the Perl "qx" operator.
The vulnerability is present in separately supplied ESG devices (appliance) with firmware versions from 5.1.3.001 to 9.2.0.006 inclusive. The exploitation of the vulnerability has been traced since October 2022 and until May 2023 the problem remained unnoticed. The vulnerability was used by attackers to install several types of malware on gateways - SALTWATER, SEASPY and SEASIDE, which provide external access to the device (backdoor) and are used to intercept confidential data.
The SALTWATER backdoor was designed as a mod_udp.so module for the bsmtpd SMTP process and allowed loading and running arbitrary files in the system, as well as proxying requests and tunneling traffic to an external server. To gain control in the backdoor, interception of the send, recv and close system calls was used.
The SEASIDE malicious component was written in Lua, installed as a mod_require_helo.lua module for the SMTP server, and was responsible for monitoring incoming HELO/EHLO commands, detecting requests from the C&C server, and determining parameters for launching the reverse shell.
SEASPY was a BarracudaMailService executable installed as a system service. The service used a PCAP-based filter to monitor traffic on 25 (SMTP) and 587 network ports and activated a backdoor when a packet with a special sequence was detected.
On May 20, Barracuda released an update with a fix for the vulnerability, which was delivered to all devices on May 21. On June 8, it was announced that the update was not enough and users needed to physically replace compromised devices. Users are also encouraged to replace any access keys and credentials that have crossed paths with the Barracuda ESG, such as those associated with LDAP/AD and Barracuda Cloud Control. According to preliminary data, there are about 11 ESG devices on the network using the Barracuda Networks Spam Firewall smtpd service, which is used in the Email Security Gateway.
Source: opennet.ru