The IT Nerd

I recently told you about an extremely serious vulnerability with Barracuda’s Email Security Gateway Appliance (ESG) that has alarm bells ringing all over Hell’s half acre.

Barracuda has a full description of the incident so far in their advisory, including extensive indicators of compromise, additional vulnerability details, and information on the backdoored module for Barracuda’s SMTP daemon. Now this I give Barracuda credit for as there’s a lot of detail here so that if you have one of these ESG Appliances, you can in theory address any vulnerabilities quickly and effectively. But at the same time that document says this right at the top of it:

ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).  

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG. 

That’s right. You need to replace your ESG Appliance to address this actively exploited vulnerability. Even if you’ve patched it. I’ve been in this space for over 25 years and I have never, ever seen a recommendation like this before. The only reason that I can come up with for this recommendation is that whatever threat actor did this has managed to gain persistence on the device. Or put into layman’s terms, they’ve pitched the tent, started the campfire, and built a very high wall around the campsite along with a moat that would make it next to impossible to get them out. That’s the holy grail for any threat actor and that’s really, really, bad if you have an ESG Appliance.

Here’s the problem with that, replacing devices wholesale isn’t something that can be scaled to a level that Barracuda customers can work with as we are not talking about a consumer router that can be reconfigured in an hour or less. We’re talking about an email gateway that is actively scanning for email based threats, and in today’s world not only can’t be out of service for a lengthy period, but these sorts of appliances are often tied into a much larger security setup that company have. And you have to wonder if Barracuda can scale to meet the demands of customers who are going to email them with requests to replace this gear quickly. As in next day or same day replacements in some cases. This is a very bad situation and I am sure this is going to cost Barracuda some customers. Because even though there are exploits out there that threaten everyone, this is above and beyond anything that I have ever seen before. And that will make some of Barracuda’s customers wonder if the company was asleep at the switch when it came to the security of their devices.

This entry was posted on June 8, 2023 at 1:38 pm and is filed under Commentary with tags Barracuda. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.