Barracuda Networks has announced the need for physical replacement of its email security gateway (ESG) due to malicious software resulting from a zero-day vulnerability in the email investment module. The previously-released patches do not suffice to block this problem. It is believed that the decision to replace the equipment for free follows an attack that led to the installation of malware at a low level and the inability to remove it by replacing the firmware or discharging it into a factory state.
ESG is a hardware and software complex that protects enterprise emails from attacks, spam and viruses. Abnormal traffic was recorded from ESG devices on May 18. Analysis revealed that these devices were compromised using the incorporation vulnerability (CVE-2023-28681), which allows the execution of its code through sending a specially designed email. The problem arose due to the absence of proper verification of files inside the TAR archives transmitted in the postal investment, allowing the execution of arbitrary commands in the system with increased privileges.
The vulnerability is present in separately supplied ESG (Appliance) devices with firmware versions ranging from 5.1.3.001 to 9.2.0.006 inclusive. The vulnerability has been operational since October 2022, and until May 2023, the problem remained unnoticed. The vulnerability was used by attackers to install several types of malicious software, including Saltwater, Seaspy and Seaside.
The Saltwater backdoor was created in the form of the mod_udp.so module to the BSMTPD SMTP process, allowing hackers to download and run arbitrary files and prolong requests while tunnelling traffic to the external server. The malicious component of Seaside was written in Lua and monitored incoming Helo/EHLO commands while identifying requests from the control server. It determined the validity parameters of the reverse Shell.
Unfortunately, the compensation of delivery and replacement work costs has not been specified.