Barracuda Networks recently discovered a vulnerability in its Email Security Gateway (ESG) that had been open for the last eight months without the security specialist being aware of it. The investigation revealed that the vulnerability could allow hackers to perform a remote command injection due to an “incomplete input validation” of user-supplied .tar files, or so-called “tarballs”. In versions .1.3.001 through 9.2.0.006 of the ESG client, hackers could execute system commands via the QX operator if a tarball was named a specific, undisclosed, way.
Unfortunately, hackers were able to actively abuse the vulnerability during the said period, injecting systems with no less than three types of malware: Saltwater, Seaside, and Seaspy. This malicious software allows hackers to run and use C2, command injection, port monitoring, persistent backdoor functionality, and more.
The vulnerability has now been patched within three days of discovery and a mitigation trajectory has been published. Barracuda Networks has notified end users, though the exact number of affected users is not specified.
