PSA: Barracuda's Email Security Gateway's a popular enterprise email client. Unfortunately, it hasn't been living up to the security aspect of its name for the last eight months. Hackers have been using a flaw in the software to infect systems with at least three types of malware that include C2, command injection, port monitoring, and persistent backdoor capabilities.

Security firm Barracuda Networks disclosed a zero-day vulnerability in its popular email client that hackers exploited for eight months before it was discovered and patched. The patch rolled out 11 days ago, and Barracuda notified customers about the flaw via its Email Security Gateway (ESG), providing mitigation measures.

The security hole (CVE-2023-2868) allowed remote command injection through the ESG due to "incomplete input validation" of user-supplied .tar files, sometimes called tarballs. Tarballs are similar to zip archives in that they carry a collection of files compressed into a single container.

The problem was that in versions through of Barracuda's ESG client, bad actors could execute system commands through the QX operator if the tarball was named in a particular, unspecified way. The flaw involved how the Perl programing language handles quotation marks, but that's as specific as Barracuda would get.

The company says its investigation decerned that malicious actors exploited the weakness between October 2022 and May 20, 2023. Hackers used it to deliver malware payloads to vulnerable systems, primarily packages identified as Saltwater, Seaside, and Seaspy.

Saltwater is a trojan that imitates Barracuda's SMTP daemon (bsmtpd). The malware has backdoor functionality so attackers can upload or download files, execute commands, and use proxy and tunneling capabilities.

Seaside is a Lua-based module also targeted at the SMTP daemon. It monitors the HELO/EHLO commands looking for command and control (C2) IP addresses and ports. When received, it sends the C2 data as arguments to an external binary to create a "connect-back shell."

Seaspy is an x64 ELF (executable and linkable format) file that pretends to be a legitimate Barracuda Networks service. After establishing itself as a PCAP filter, it monitors port 25 traffic (SMTP). Seaspy can act as a persistent backdoor, and Barracuda says operators can covertly activate it via a "magic packet."

Barracuda did not disclose how many customers were exploited during the eight months the hole remained undiscovered but did patch the bug immediately before notifying its clients.

"Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take," the company stated. "Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation."

If you use Barracuda's ESG email client but haven't received a notification from the company, update the software immediately. You may also want to take the mitigation measures Barracuda listed in its public notice.