Description
On May 30, 2023, Barracuda Networks published an advisory for CVE-2023-2868, an easily exploitable remote command injection vulnerability affecting several versions of Barracuda Email Security Gateway (ESG) appliances. The vulnerability exists in a module that screens attachments of incoming emails and is triggered by crafted .tar files. Successful exploitation allows remote, unauthenticated attackers to execute code on appliances in the context of a privileged user. CVE-2023-2868 carries a CVSS score of 9.8. According to the vendor advisory, CVE-2023-2868 has been exploited in the wild since October 2022.
Affected systems include Barracuda Email Security Gateway appliances with firmware versions 5.1.3.001 – 9.2.0.006 (appliance form factor only). We tested against a Barracuda ESG 300 firmware version 8.0.1.001 to confirm exploitability. Tests against virtual machine instances were not successful.
Technical analysis
Exploiting this vulnerability proved to be simple, but finding a valid test target served to be more challenging. Our proof of concept (PoC) started off with the hint from Mandiant’s blog mentioning that filenames within TAR files as the attack vector. With that in mind, we developed our PoC with code that creates tarfiles containing user-controlled filenames and data.
canadian pharcharmy
Great article, exactly what I needed.