CVE-2023-2868 - Remote Command Injection Vulnerability in Barracuda Email Security Gateway

A remote command injection vulnerability, designated as CVE-2023-2868, has been discovered in the Barracuda Email Security Gateway product (appliance form factor only). It affects versions 5.1.3.001 through 9.2..006. The vulnerability arises from insufficient input validation of user-supplied .tar files, specifically in processing the names of the files contained within the archive. As a result, an attacker can exploit this vulnerability to remotely execute system commands with the privileges of the Email Security Gateway product. This vulnerability has been fixed as part of the BNSF-36456 patch, which has already been automatically applied to all customer appliances.

Exploit Details

The root cause of this vulnerability is a failure to thoroughly sanitize the handling of .tar (tape archive) files. The system does not perform comprehensive input validation on the names of files contained within a user-uploaded .tar archive. Consequently, a remote attacker can carefully craft a specifically formatted file name that would trigger the execution of a system command via Perl's qx operator.

For demonstration purposes, let's have a look at a simple code snippet illustrating the issue

my $filename = "../../../path/injection;command";
my $escaped_filename = escape_shell_arg($filename);
my $output = qx(tar xvf $escaped_filename);

In this example, the attacker uploads a .tar file with a maiiciously crafted file name that could cause the system to execute the command specified after the semicolon. Due to the lack of proper input validation and sanitization, this command would then be executed with the same privileges as the Barracuda Email Security Gateway product.

Patch and Remediation

Barracuda Networks has already released a patch (BNSF-36456) to address this vulnerability. The patch automatically applies to all customer appliances and resolves the input validation issue. Anyone using an affected version of the Barracuda Email Security Gateway should ensure that their appliance has received and applied the patch.

For more information on this vulnerability and the associated patch, refer to the Barracuda Networks Security Advisory and the CVE-2023-2868 entry in the Common Vulnerabilities and Exposures database.

Conclusion

CVE-2023-2868 is a critical remote command injection vulnerability that affects the Barracuda Email Security Gateway product. Due to insufficient input validation and sanitization, the vulnerability could be exploited by remote attackers. It's crucial to ensure that your appliance has received the automatically applied BNSF-36456 patch to protect against this vulnerability. Stay vigilant and follow best security practices to keep your systems and networks safe.

Timeline

Published on: 05/24/2023 19:15:00 UTC
Last modified on: 06/01/2023 20:14:00 UTC