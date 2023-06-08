Security vendor Barracuda is advising customers to replace its vulnerable email security gateways (ESGs), following a May 2023 discovery that the appliances are being exploited.

Barracuda issued a patch on May 20 United States time for all ESG appliances worldwide, and is deploying a further set of security updates, but this isn't sufficient to address the vulnerability.

In its action notice, Barracuda said that "impacted ESG appliances must be immediately replaced regardless of patch version level."

"If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com)."

"Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG."

The security vendor said the vulnerability - CVE-2023-2868 - is due to "incomplete input validation of user supplied .tar [tape archive format] files as it pertains to the names of the files contained within the archive."

Barracude has discovered that the vulnerability can be used to remotely execute commands on the ESG appliances.

There is currently evidence of data exfilitration and malware being planted on the ESG appliances, allowing backdoor access for attackers.

Hackers have deployed a trojanised module, SALTWATER, for the Barracuda simple mail transfer protocol daemon (bsmptd), and the SEASPY packet capture filter that provides remote access as well.

A further module, SEASIDE, is written in the Lua language, and it monitors SMTP session initiation HELO/EHLO commands to receive command and control IP addresses and ports which are passed on to an external binary.

This technique gives threat actors a reverse shell on the ESG appliances.

Fellow security vendor Mandiant, owned by Google, is investigating the breach together with Barracuda.

It is not yet known which unauthorised third party gained access to the ESG appliances.