May 26, 2023Ravie LakshmananEmail Security / Zero-Day
Email protection and network security services provider Barracuda is warning users about a zero-day flaw that it said has been exploited to breach the company’s Email Security Gateway (ESG) appliances.
The zero-day is being tracked as CVE-2023-2868 and has been described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006.
The California-headquartered firm said the issue is rooted in a component that screens the attachments of incoming emails.
“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives),” according to an advisory from the NIST’s national vulnerability database.
“The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.”
The shortcoming, Barracuda noted, was identified on May 19, 2023, prompting the company to deploy a patch across all ESG devices worldwide a day later. A second fix was released on May 21 as part of its “containment strategy.”
Additionally, the company’s investigation uncovered evidence of active exploitation of CVE-2023-2868, resulting in unauthorized access to a “subset of email gateway appliances.”
The company, which has over 200,000 global customers, did not disclose the scale of the attack. It said affected users have
Read more