The ACT government is the first in Australia to go public with its exposure to the Barracuda email security gateway (ESG) vulnerability.
Last week, Barracuda announced that its email security gateway appliances were vulnerable and needed to be replaced, even though patches had been issued for the command injection vulnerability, CVE-2023-2868.
On June 8, the ACT government announced that it had investigated Barracuda’s announcement, and discovered that it operated vulnerable ESG appliances.
“The potential vulnerability was detected as being present and the ACT Cyber Security Centre immediately completed a rebuild of the impacted Barracuda system to eliminate any ongoing vulnerability," the government said.
“The investigation has now identified that a breach has occurred and a harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed.”
Barracuda’s security advisory for CVE-2023-2868 said the bug was “incomplete input validation of user supplied .tar [tape archive format] files as it pertains to the names of the files contained within the archive.”
It permits remote command execution on the ESG appliances, and has been seen in the wild, with evidence of data exfiltation and malware planted on the appliances.
Hackers have deployed a trojanised module, SALTWATER, for the Barracuda simple mail transfer protocol daemon (bsmptd), and the SEASPY packet capture filter that provides remote access as well.
Barracuda has called in Mandiant to help it investigate the vulnerability.