Barracuda has announced that its vulnerable Email Security Gateway (ESG) appliances should now be replaced immediately.
Despite releasing a patch for a high-severity zero-day vulnerability found roughly a week ago, the email and network security firm’s new advice suggests that affected devices are in fact beyond help.
The company updated its initial security advisory earlier this week to: “Impacted ESG appliances must be immediately replaced regardless of patch version level… Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
Three malware families
The company also says that it has notified all affected customers already. Those who are yet to replace their gear should contact the company via [email protected] as soon as possible.
Early last week, reports circulated of hackers exploiting a zero-day vulnerability in Barracuda’s ESGs over several months, targeting countless organizations with different malware. The zero-day is tracked as CVE-2023-2868, found in ESGs versions between 5.1.3.001 and 9.2.0.006.
According to the National Vulnerability Database, the flaw is a remote command injection vulnerability arising as the appliance fails to comprehensively sanitize the processing of .tar files (tape archives). In other words, formatting file names in a specific way allows the attackers to execute system commands.
Initially, Barracuda said it spotted three malware families being distributed via the zero-day: Saltwater, Seaside, and Seaspy. These three allow threat actors to download and upload files, run commands, establish persistence, and establish a reverse shell.
The patch was published on May 20. Advise to Affected businesses included rotating ESG appliance credentials where possible, including any connected LDAP/AD, Barracuda Cloud Control, FTP Server, SMB, and any private TLS certificates.
More than 200,000 organizations are using Barracuda’s products, the company claims. Some of its clients include Samsung, Delta Airlines, Mitsubishi, and others.