Source: securityboulevard.com – Author: Richi Jennings
Patching alone won’t cut it.
Barracuda Networks is on the hook to exchange thousands of email security appliances. An unknown number were pwned so hard that they can’t be patched. The only fix is to swap out the hardware itself.
Scrotes exploited a Barracuda zero-day for at least seven months. In today’s SB Blogwatch, we can’t quite believe it.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Angry fuge.
ESG FAIL
What’s the craic? Sergiu Gatlan reports—“Barracuda says hacked ESG appliances must be replaced immediately”:
“Used by over 200,000 organizations”
Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. … Customers who haven’t yet replaced their devices are urged to contact support urgently.
…
On May 24, Barracuda warned customers that their ESG appliances might have been breached via the CVE-2023-2868 bug and advised them to investigate their environments for signs of intrusion. [The] bug was exploited as a zero-day for at least seven months to backdoor customers’ ESG appliances with custom malware and steal data.
…
Barracuda says its products are used by over 200,000 organizations, including high-profile companies like Samsung, Delta Airlines, Mitsubishi, and Kraft Heinz. … A Barracuda spokesperson was not immediately available … for additional details on why … replacement is required.
Can that be right? Brian Krebs cycles in—“Barracuda Urges Replacing”:
“Rotate any credentials”
It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. … More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022.
…
Barracuda said it will be providing the replacement product to impacted customers at no cost. … ESG customers should also rotate any credentials connected to the appliance(s), and check for signs of compromise.
At no cost? I should hope not! Graham cluley snarks it up—“Immediately rip out and replace”:
“Any patch simply isn’t up to the job”
LEGAL [in] the URL should have given away that things were serious.
…
Clearly hackers have managed to exploit security vulnerabilities … to such an extent that any patch simply isn’t up to the job of kicking them out. … No wonder Barracuda is getting some legal advice on how to communicate this to its customers.
What happened? Barracuda’s lawyers quietly mutter—“ACTION NOTICE”:
“Remotely executing a system command through Perl”
Impacted ESG appliances must be immediately replaced regardless of patch version level. … Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.
…
The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.
Wait. Pause. Did you say Perl? danstl sets the Wayback machine to Stun:
Man, I remember back in the day you had to be crazy to be handling input / output sanitization with Perl. If you did you were a programming god, or just had no idea you just gave the keys to the kingdom away.
Let’s sit back and admire the universe’s astounding sense of irony. samstave reminds us that the device whose job is to filter out malware was … errm … infected by malware:
Heh — uhm — isn’t that, like, the core component of the device’s job?
And gweihir expands on the theme:
Insecurity caused by security devices: How utterly and completely pathetic.
We really need to start making sound software engineering practices mandatory in all commercial software engineering. … This story is basically about security-critical technology so badly made that it starts to rot.
Barracuda is replacing devices at no charge, but what of the other costs? White Hat Bob throws his hat in the ring:
Consequential losses, such as the labor to replace units, are legally easier for the manufacturer to avoid, and they will likely be a matter of some negotiation, regulatory action, or litigation.
…
Any way you look at it, it’s an existential crisis for the manufacturer.
Meanwhile, this Anonymous Coward isn’t impressed:
I don’t have their kit, but if I did, I would replace it — with a competitor’s!
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Anthony Tran (via Unsplash; leveled and cropped)
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/06/barracuda-esg-swap-richixbw/
Category & Tags: Analytics & Intelligence,API Security,Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Security,DevOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Incident Response,Industry Spotlight,Malware,Most Read This Week,Network Security,News,Popular Post,Security Boulevard (Original),Security Operations,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Barracuda,Barracuda Networks,email,email security,Email Security Gateway,ESG,SB Blogwatch – Analytics & Intelligence,API Security,Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Security,DevOps,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Incident Response,Industry Spotlight,Malware,Most Read This Week,Network Security,News,Popular Post,Security Boulevard (Original),Security Operations,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Barracuda,Barracuda Networks,email,email security,Email Security Gateway,ESG,SB Blogwatch
