CVE-2023-2868 — CRITICAL (9.4)

Q: How severe is CVE-2023-2868?

CVE-2023-2868 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2023-2868?

Check the references section above for vendor advisories and patch information. Affected products include: Barracuda Email Security Gateway 300 Firmware, Barracuda Email Security Gateway 300, Barracuda Email Security Gateway 400 Firmware, Barracuda Email Security Gateway 400, Barracuda Email Security Gateway 600 Firmware.

Vulnerability Description

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

CVSS Score

9.4

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Barracuda	Email Security Gateway 300 Firmware	>= 5.1.3.001, <= 9.2.0.006
Barracuda	Email Security Gateway 300	-
Barracuda	Email Security Gateway 400 Firmware	>= 5.1.3.001, <= 9.2.0.006
Barracuda	Email Security Gateway 400	-
Barracuda	Email Security Gateway 600 Firmware	>= 5.1.3.001, <= 9.2.0.006
Barracuda	Email Security Gateway 600	-
Barracuda	Email Security Gateway 800 Firmware	>= 5.1.3.001, <= 9.2.0.006
Barracuda	Email Security Gateway 800	-
Barracuda	Email Security Gateway 900 Firmware	>= 5.1.3.001, <= 9.2.0.006
Barracuda	Email Security Gateway 900	-

Related Weaknesses (CWE)

CWE-20 CWE-77

References

https://status.barracuda.com/incidents/34kx82j5n4q9Vendor Advisory
https://www.barracuda.com/company/legal/esg-vulnerabilityMitigationVendor Advisory
https://status.barracuda.com/incidents/34kx82j5n4q9Vendor Advisory
https://www.barracuda.com/company/legal/esg-vulnerabilityMitigationVendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-US Government Resource

FAQ

What is CVE-2023-2868?

CVE-2023-2868 is a vulnerability with a CVSS score of 9.4 (CRITICAL). A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a f...

How severe is CVE-2023-2868?

CVE-2023-2868 has been rated CRITICAL with a CVSS base score of 9.4/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-2868?

Check the references section above for vendor advisories and patch information. Affected products include: Barracuda Email Security Gateway 300 Firmware, Barracuda Email Security Gateway 300, Barracuda Email Security Gateway 400 Firmware, Barracuda Email Security Gateway 400, Barracuda Email Security Gateway 600 Firmware.