Barracuda identified a vulnerability (CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023.
Incident Report for Barracuda Networks
Resolved
This has been resolved for most customers. Updates are located on Barracuda’s Trust Center (https://www.barracuda.com/company/legal). We thank you for your understanding and support as we worked through this issue and sincerely apologize for any inconvenience it may have caused. If you have any questions, please reach out to support@barracuda.com.
Posted Aug 03, 2023 - 14:19 UTC
Update
Update on Email Security Gateway vulnerability previously identified on May 19, 2023, (https://nvd.nist.gov/vuln/detail/CVE-2023-2868) and Barracuda’s ongoing investigation. On May 30, 2023, Barracuda provided a Preliminary Summary of Key Findings which is available on our Trust Center here: (https://www.barracuda.com/company/legal/esg-vulnerability). This Preliminary Summary provides a timeline of events, key Indicators of Compromise (IOCs), and recommended actions for impacted customers.

We will continue actively monitoring of this situation, and we will be transparent in sharing details on what actions we are taking. Information gathering is ongoing as part of the investigation. We want to ensure we only share validated information with actionable steps for you to take. As we have information to share, we will provide updates via this product status page (https://status.barracuda.com) and direct outreach to impacted customers. Updates are also located on Barracuda’s Trust Center (https://www.barracuda.com/company/legal).
Posted May 30, 2023 - 15:38 UTC
Investigating
Barracuda identified a vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023. The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability.

We took immediate steps to investigate this vulnerability. Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances. As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers.

We will continue actively monitoring of this situation, and we will be transparent in sharing details on what actions we are taking. Information gathering is ongoing as part of the investigation. We want to ensure we only share validated information with actionable steps for you to take. As we have information to share, we will provide updates via this product status page (https://status.barracuda.com) and direct outreach to impacted customers. Updates are also located on Barracuda’s Trust Center (https://www.barracuda.com/company/legal).

Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take.

Your trust is important to us. We thank you for your understanding and support as we work through this issue and sincerely apologize for any inconvenience it may cause. If you have any questions, please reach out to support@barracuda.com.
Posted May 23, 2023 - 20:28 UTC
This incident affected: Email Security Gateway Appliance (Email Processing).