Barracuda Networks said patches for a critical zero-day vulnerability in its email security gateway appliance are insufficient and the devices must be replaced entirely. However, the replacement process remains unclear.
The vendor warning comes two weeks after Barracuda initially disclosed the remote command injection vulnerability tracked as CVE-2023-2868. An incident response investigation with Mandiant revealed that data exfiltration had occurred and malware containing a backdoor was installed on some email security gateway (ESG) devices. The investigation also found that the zero-day had been exploited as far back as October 2022.
While Barracuda released a first patch on May 20 and a second on May 21, the vendor issued an action notice on June 6 urging affected customers to replace their devices “immediately.” It’s been two days since the advisory update, but the vendor has not provided any guidance.
“Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now,” Barracuda wrote in the action notice. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
The vendor did not address how customers are supposed to replace the products or where financial responsibility lies. In addition, it did not specify problems with the released patches or explain why the hardware products need to be replaced.
Barracuda did not respond to requests for comment at press time.
According to the vendor’s website, Barracuda’s limited warranty for all products covers hardware products for one year for “defects in materials and workmanship.” The software warranty is applicable for 90 days and states that the product will be at the time of delivery “free from what are commonly defined as viruses, worms, spyware, malware and other malicious code that may potentially hamper performance.”
The flaw, which received a CVSS rank of 9.8, affects Barracuda ESG versions 5.1.3.001 through 9.2.0.006. Exploitation could allow a remote attacker to format file names and eventually gain ESG product privileges.
It’s unclear how many affected ESG products are in use. Barracuda ESG customers are located across the globe and include organizations in government, financial, healthcare and education sectors.
Arielle Waldman is a Boston-based reporter covering enterprise security news.