Barracuda has shipped a patch for a remote code execution vulnerability in some versions of its Email Security Gateway appliance that could allow an attacker to gain unauthorized access to a vulnerable appliance.
The bug affects versions 5.1.3.001-9.2.0.006 of the appliance, and does not affect the SaaS version of the product. Barracuda discovered the flaw on May 19 and pushed a patch to all of the ESG appliances the next day. After further investigation, the company pushed a nother patch a day later.
“We took immediate steps to investigate this vulnerability. Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances. As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers,” Barracuda said in its advisory.
“The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability.”
The Barracuda Email Security Gateway is a popular product in enterprise environments, and this vulnerability would certainly be of interest to attackers, given the broad deployment of the appliances. The good news is that Barracuda has pushed the patch to all of the affected devices automatically.
“The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product,” NIST said in an advisory.