The
ACT
government
is
the
first
in
Australia
to
go
public
with
its
exposure
to
the
Barracuda
email
security
gateway
(ESG)
vulnerability.
Last
week,
Barracuda
announced
that
its
email
security
gateway
appliances
were
vulnerable
and
needed
to
be
replaced,
even
though
patches
had
been
issued
for
the
command
injection
vulnerability,
CVE-2023-2868.
On
June
8,
the
ACT
government
announced
that
it
had
investigated
Barracuda’s
announcement,
and
discovered
that
it
operated
vulnerable
ESG
appliances.
“The
potential
vulnerability
was
detected
as
being
present
and
the
ACT
Cyber
Security
Centre
immediately
completed
a
rebuild
of
the
impacted
Barracuda
system
to
eliminate
any
ongoing
vulnerability,”
the
government
said.
“The
investigation
has
now
identified
that
a
breach
has
occurred
and
a
harms
assessment
is
underway
to
fully
understand
the
impact
specific
to
our
systems,
and
importantly
to
the
data
that
may
have
been
accessed.”
Barracuda’s
security
advisory
for
CVE-2023-2868
said
the
bug
was
“incomplete
input
validation
of
user
supplied
.tar
[tape
archive
format]
files
as
it
pertains
to
the
names
of
the
files
contained
within
the
archive.”
It
permits
remote
command
execution
on
the
ESG
appliances,
and
has
been
seen
in
the
wild,
with
evidence
of
data
exfiltation
and
malware
planted
on
the
appliances.
Hackers
have
deployed
a
trojanised
module,
SALTWATER,
for
the
Barracuda
simple
mail
transfer
protocol
daemon
(bsmptd),
and
the
SEASPY
packet
capture
filter
that
provides
remote
access
as
well.
Barracuda
has
called
in
Mandiant
to
help
it
investigate
the
vulnerability.
About Author
