On May 23, 2023, Barracuda Networks, Inc. posted a notice announcing a recently discovered zero-day vulnerability impacting the security of the company’s Email Security Gateway appliance (ESG). Based on the company’s investigation so far, the vulnerability resulted in unauthorized access to a subset of email gateway appliances. With more than 200,000 customers, many of which are businesses, the recently announced zero-day vulnerability could lead to a long line of Barracuda data breaches.
If you received a data breach notification from Barracuda or any other company impacted by the Barracuda ESG vulnerability, it is essential you understand what is at risk and what you can do about it. Barracuda serves the needs of over 200,000 corporate customers, each of which may possess the data of tens of thousands of individuals. While there have not yet been any confirmed reports of a Barracuda data breach related to the incident, the possibility should not be ruled out. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Barracuda data breach, please see our recent piece on the topic here.
What We Know So Far About the Barracuda Vulnerability
News of the Barracuda vulnerability was only recently confirmed; however, what we know at this point comes from the company’s post as well as an advisory from the National Institute of Standards and Technology (“NIST”). According to these sources, the vulnerability arises from “incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive.”
The NIST notes that as a result of the vulnerability, “a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product.” Google considers the vulnerability a “critical” one.
Since Barracuda’s discovery of the vulnerability, the company has released two patches that solved the problem. However, the company acknowledges that the flaw “resulted in unauthorized access to a subset of email gateway appliances.” Additionally, Barracuda disclosed that the company’s investigation was limited to its own environment and that “impacted customers should review their environments and determine any additional actions they want to take.”
The importance of the Barracuda zero-day vulnerability cannot yet be assessed because many of the organizations that rely on the company’s services only recently learned of the flaw. However, similar zero-day vulnerabilities, such as the one affecting Fortra’s GoAnywhere MFT product that impacted millions of consumers, it is possible that there could be a long line of Barracuda data breaches being announced in the near future.
More Information About Barracuda Networks, Inc.
Founded in 2003, Barracuda Networks, Inc. is a computer security and data storage company that provides security, networking and storage products based on network appliances and cloud services. Barracuda’s computer security products are intended to reduce or eliminate spam, spyware, trojans, and viruses. The company also develops networking and storage products. While the company services all industries, it specializes in developing solutions for healthcare, retail, and financial services companies as well as educational institutions and government entities. Barracuda employs more than 2,000 people and generates approximately $487 million in annual revenue.