Threat Signal Report

Barracuda Email Security Gateway Appliance (ESG) Vulnerability (CVE-2023-2868)

What is Barracuda Email Security Gateway Appliance (ESG)?	The Barracuda Email Security Gateway Appliance is an email security solution that monitors and filters inbound and outbound emails for unwanted content such as spam and malware.
What is the Attack?	The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives) and their names. An attacker can leverage these file names in a specific manner to allow for remote command execution (RCE).
Why is this Significant?	This is significant because CVE-2023-2868 was exploited as early as October 2022 for backdoor deployment according to reports. CISA has already added the vulnerability on its Known Exploited Vulnerabilities (KEV) catalog due to observed active exploitation in the wild.
What is the Vendor Solution?	Although a patch to address the vulnerability was released, the vendor recommends replacing all impacted devices regardless of patch level.
What FortiGuard Coverage is available?	FortiGuard Labs released an IPS signature "Barracuda.Email.Security.Gateway.Tar.File.Command.Injection" for CVE-2023-2868. Some of the reported file IOCs are detected as Linux/SaltWater.A!tr, ELF/Vigorf.A!tr, and Data/ESG.ADA0!tr. All network IOCs in the security advisory are blocked by the Webfiltering client.
Is Mitigation Available?	The Barracuda security advisory provides mitigation methods. Please refer to the Appendix for a link to "Barracuda Email Security Gateway Appliance (ESG) Vulnerability".