Barracuda Email Security Gateway Appliance Remote Command Injection Vulnerability

A remote command injection vulnerability has been identified in the Barracuda Email Security Gateway (ESG) appliance, affecting versions 5.1.3.001 prior to 9.2.0.006. The vulnerability arises from improper input validation of user-supplied .tar files, specifically regarding the names of the files within the archive. This flaw allows remote attackers to craft file names that, when processed, execute system commands using Perl's qx operator, with the same privileges as the Barracuda Email Security Gateway. This vulnerability was exploited to gain unauthorized access to some ESG appliances, leading to the deployment of persistent backdoors via a trojanized module named SALTWATER, according to Barracuda and Mandiant.

Impact

Exploitation of this vulnerability allowed for remote command execution on the affected Barracuda Email Security Gateway appliance, with the executed commands running under the privileges of the Email Security Gateway product. This exploitation led to unauthorized access on a subset of ESG devices, where malware was deployed to create a persistent backdoor, allowing the threat actor to monitor and manipulate email traffic. Additionally, evidence of data exfiltration was found on some compromised appliances.

Reproduction

The vulnerability can be reproduced by uploading a .tar file that contains specially crafted file names. These file names must be formatted in a way that exploits the input validation flaw, allowing commands to be executed on the system via Perl's qx operator. This exploitation occurs within a module that processes email attachments, creating a backdoor that can be accessed through the BarracudaMailService.

Remediation

Barracuda has applied a security patch to all affected ESG appliances worldwide. Customers should ensure their appliance is up to date and replace any compromised devices. Barracuda is providing replacement appliances at no cost to impacted customers.