Barracuda, an email and network security provider, has issued an urgent update regarding a previously identified vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliances. The company now warns that all impacted ESG appliances must be immediately replaced, regardless of patch version level. This comes after the discovery of attacks targeting the now-patched zero-day vulnerability.
Related: Zero-day flaw in Barracuda's Email Security Gateway
Why it matters
The vulnerability in Barracuda's ESG appliances allowed unauthorized access and potential data breaches, emphasizing the critical importance of cybersecurity. The company's latest update underscores the severity of the issue and the need for immediate action. It also highlights the importance of HIPAA compliance, particularly in the context of email security, as these appliances are often used to handle sensitive health information.
What they're saying
In an update to the initial advisory, Barracuda stated, "Impacted ESG appliances must be immediately replaced regardless of patch version level. Barracuda's remediation recommendation at this time is full replacement of the impacted ESG." The company has already notified affected customers through the breached ESGs' user interface and urges those who haven't yet replaced their devices to contact support urgently via email.
In the know
The critical Barracuda ESG remote command injection flaw, tracked as CVE-2023-2868, was patched remotely on May 20, and the attackers' access to the compromised appliances was cut off one day later by deploying a dedicated script. However, the company has now revealed that the vulnerability was exploited as a zero-day for at least seven months, leading to the installation of malware and data theft from the compromised devices.
Event timeline:
- On May 18, 2023, Barracuda was alerted to anomalous traffic from Barracuda Email Security Gateway (ESG) appliances.
- On May 18, 2023, Barracuda engaged Mandiant to assist in the investigation.
- On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in their Email Security Gateway appliance (ESG).
- On May 20, 2023, a security patch was applied to all ESG appliances.
- On May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods.
- On June 6, 2023, Barracuda released a notice recommending full replacement of the impacted ESG.
The next steps
Barracuda is urging all affected customers to replace their ESG appliances immediately. The company continues to monitor the situation and is committed to providing updates via its product status page and direct contact with affected customers.
The bottom line
This update from Barracuda underscores the severity of the CVE-2023-2868 vulnerability and the importance of immediate action to replace affected ESG appliances. It also serves as a reminder of the critical role of HIPAA compliance in email security, particularly in handling sensitive health information.
Related: HIPAA Compliant Email: The Definitive Guide
Dean Levitt
