Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Barracuda Urges Replacing, Not Patching, Its Email Security Gateways (krebsonsecurity.com) 90

An anonymous reader quotes a report from KrebsOnSecurity: It's not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware -- as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

Campbell, Calif. based Barracuda said it hired incident response firm Mandiant on May 18 after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to sit at the edge of an organization's network and scan all incoming and outgoing email for malware. On May 19, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on May 20 the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).

In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022. But on June 6, Barracuda suddenly began urging its ESG customers to wholesale rip out and replace -- not patch -- affected appliances. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company's advisory warned. "Barracuda's recommendation at this time is full replacement of the impacted ESG." [...] In addition to replacing devices, Barracuda says ESG customers should also rotate any credentials connected to the appliance(s), and check for signs of compromise dating back to at least October 2022 using the network and endpoint indicators the company has released publicly.

This discussion has been archived. No new comments can be posted.

Barracuda Urges Replacing, Not Patching, Its Email Security Gateways

Comments Filter:
  • Digital gangrene (Score:3, Interesting)

    by Thoth Ptolemy ( 110353 ) on Thursday June 08, 2023 @10:41PM (#63587402)

    Digital amputation.
    Old techniques become valid again in new battlespaces. History doesn't repeat itself, it just reinfects the current host.

  • by Luckyo ( 1726890 ) on Thursday June 08, 2023 @10:45PM (#63587414)

    Who's paying for company failing it's duty of diligence to its customers, requiring tossing otherwise functional hardware?

    • Re: (Score:2, Insightful)

      by gweihir ( 88907 )

      Nobody. We have allowed commercial software makers to get away without liability for far too long. Hopefully this crap vendor will die, but that is not enough.

      • by RegistrationIsDumb83 ( 6517138 ) on Thursday June 08, 2023 @11:01PM (#63587432)
        Barracuda's spam filters suck, too. I have a domain that somehow ran afoul of it, no user complaints, no other blacklists that domain is on but somehow barracuda is convinced it's spam. They won't remove it. I knew they didn't care about noncustomers, apparently they don't care about customers either.
        • by gweihir ( 88907 ) on Thursday June 08, 2023 @11:56PM (#63587508)

          Usually, when things go this badly wrong, it is a systematic problem. So no surprise they mess up others of their products as well.

        • Are you certain your outbound host hasn't been compromised?

        • We used a Barracuda mail filter appliance for years and it worked fairly well. Though for some reason it didn't fully proxy port 25 and would pass SMTP AUTH all the way through to the mail server cluster sitting behind it. It took a long time to figure out why some people's accounts were being locked out seemingly at random. I had to craft a special L7 rule in the intermediary firewall to block SMTP AUTH packets from getting through. There was no setting in the Barracuda to disable it from passing that thro

          • by gweihir ( 88907 )

            That sounds pretty bad. All it requires for something like this to blow up is a vulnerability in the SMTP AUTH handling in the mail server behind. Not what I expect from a security proxy.

    • Re: (Score:2, Interesting)

      by jd ( 1658 )

      Software has zero warranty or liability in its license. This is true of all software, commercial and open source. The only situation where software COULD even have a warranty (but often still doesn't) is where the software has been formally proved correct to the specification. This is because software writing methodologies work on the basis of "good enough"/slapdash techniques (code now, fix later), rather than having any kind of systematic rigour.

      • According to the article even wiping the box completely wont keep them out. Apparently its a hardware/firmware vulnerability. How much you wanna bet its made in a chinese fab? Being able to scan a companies email would be of espionage interest, whether its corp trade secrets, or governmental, it all has value in the right hands.
      • by Luckyo ( 1726890 )

        This is a hardware/firmware issue however, as they specifically state that flaw cannot be fixed in software and HARDWARE must be thrown out.

    • > In a statement, Barracuda said it will be providing the replacement product to impacted customers at no cost

      Or you could, you know, read the fine article.

      I kid, I kid. There's no bucking the weight of tradition.

      • by Luckyo ( 1726890 )

        Mea culpa. I often call others out on not doing that, and here's myself not doing my due diligence and shooting from the hip for once.

        Thanks for the correction!

  • by gweihir ( 88907 ) on Thursday June 08, 2023 @10:54PM (#63587422)

    How utterly and completely pathetic.

    We really need to start making sound software engineering practices mandatory in all commercial software engineering or else. This story is basically about security-critical technology so badly made that it starts to rot.

    • Likely the issue here is that the devices are black box appliances which the customers are not supposed to have low level (ie root) access to, whereas someone who exploited this vulnerability does have root access.
      Thus because you don't have root access, you can't assess what was done to the device and try to clean up the mess.

    • by jd ( 1658 )

      Absolutely agree, but how to do it?

      A NIST-style entity that evaluates software and provides certification for the defect density?
      A mandated software development regimen, on the assumption that it guarantees a low defect density?
      An obligation to provide a limited warranty on software that guarantees a certain level of quality, with vendors choosing methods to comply?

      • Yeah, all of those things.

        You could have multiple acceptable process standards. There already are multiple standards for critical software development and none of them are currently mandatory in the field, so almost any of them would be an improvement. In a quick search I came across this slightly relevant document [coreavi.com] which cites DO-178C and ISO 26262 in an attempt to sell "safety certifiable graphics drivers". Surely there must be something similar and extant that could be directly applied (in whole or part)

      • by gweihir ( 88907 )

        Well, If you sell, say, circuit breakers for mains voltage, how are they assured to break correctly and not burst into flames? Or how do they assure an engineer doing the static of a bridge does not mess up the calculations?

        So yes, independent tests labs, requirement that only qualified people are allowed to work on security critical software, warranty and liability if it breaks and does more damage. Software is a bit different from physical products, but that does not make the known approaches unusable.

    • by e3m4n ( 947977 ) on Friday June 09, 2023 @06:41AM (#63588082)
      From the article even if you reformatted and reinstalled everything it cant be fixed. Thst screams hardware/firmware vulnerabilities. Maybe a backdoor in the network controller chip itself?
      • by gweihir ( 88907 )

        Could be that the firmware was not protected at all and the malware now sits in the early initialization code and does write-protect itself. In that case you would need to physically flash the firmware or may even have to replace the chip.

        Of course if you do this right, the core initialization system and loader for new firmware just get write protected (many modern EEPROMs allows page protection, for example so you can protect part of its contents).

    • A few comments:

      1. Everything of any complexity, including security software, has security issues.

      2. We have no idea if this issue was caused by negligence or not. Not hard to believe that it was, but we don't know.

      3. You can introduce liability and it should be in some form (coming to the EU with an updated PLD, might eventually reach the US, it's in the admin's Cyber Security Strategy not that I expect a Republican Congress to do anything about it) but... it would result in a) increased product cost to p

      • Re: (Score:2, Insightful)

        by gweihir ( 88907 )

        Yes. But having to replace the device? That means more than one severe design issue and these are typically not present in groups. Unless the whole design process was not adequate at all that is.

        As to liability, it starts with _them_ having to pay for replacement. As it is, the affected customers will now have to buy a new one and then configure and integrate it themselves. That is just fundamentally wrong on so many levels. Any more liability depends, but this could be a case of gross negligence.

  • by lsllll ( 830002 ) on Thursday June 08, 2023 @11:27PM (#63587468)
    Of course it can be fixed with software. I skimmed the CVE. There's no mention of UEFI or BIOS. Provide an ISO which people DD to a USB thumb drive, boot from the thumb drive, make copies of the configuration files and whatever else you need, reimage the HD, and copy the configuration files back. I do admit it's complicated and it may take them at least a few days to get working, but there's obviously a software solution here. But the first sentence from the summary alludes as to what's really happening: "We believe most of our customers will just buy a new appliance from us and it's more ka-ching for us."
    • by thesjaakspoiler ( 4782965 ) on Friday June 09, 2023 @12:03AM (#63587518)

      There are a number of scenario's possible where not even an UEFI or BIOS update will save you.
      Either they blocked UEFI/BIOS updates or they infected the update process in such a way that it adds their malware again to the new UEFI/BIOS.

      • by codrus ( 35604 )

        Is it a PC? I mean, I'm sure it's got an Intel or ARM processor in it and and uses some off-the-shelf PC-style chips, but most dedicated enterprise-level networking devices are a custom PCB with a custom boot monitor. I'd be surprised if there's any recognizable UEFI or BIOS in it.

      • by klashn ( 1323433 )
        Maybe the update needs to be delivered via TAR file, and they don't want their customers to be doing that or don't have a way for the FW to properly validate the TAR files?
        • by klashn ( 1323433 )
          TFS says Barracuda recommended replacement of devices in October 2022. The TFS, submitted anonymously should not have been news today with quotes on an old stance from Barracuda. Now they have patched it, so I guess you don't have to replace it. This does expose Barracuda as a company that doesn't have proper security incident response and mitigation.
    • by Arnonyrnous Covvard ( 7286638 ) on Friday June 09, 2023 @12:19AM (#63587552)
      PCs are not designed so they can be reset to a knowable state. Despite all the "trusted computing" hocus-pocus, PCs have no way of reliably wiping all onboard persistent storage. Buying a new one doesn't fix things though, because you can't verify the state of the new device either. Recommending that people replace a specific type of security device seems like an invitation for a supply chain attack.
      • by Bert64 ( 520050 )

        You should be able to wipe everything if you know *exactly* what hardware went into the device, which is the case for an appliance like this.

        • If it's technically a PC, that isn't possible. Access to onboard persistent storage is mediated by software in that very same writable persistent storage, so you can't assure that that software won't prevent you from overwriting it. To reliably wipe all persistent storage, PCs would need a way to do that which isn't mediated by software that can be modified.
          • It's got nothing to do with being a PC - it's specifically a choice of the motherboard manufacturers to not provide a reliable update path. There's absolutely nothing in the PC spec preventing manufacturers from implementing the firmware update path via ROM.

      • My 486 had one writable chip and I had to move a jumper to flash it. And no backup space, so make sure it's on a UPS!

        People want cheap so this is what they get.

      • Despite all the "trusted computing" hocus-pocus, PCs have no way of reliably wiping all onboard persistent storage.

        That is false at least some of the time. Some mainboards have a firmware reflash that doesn't even require the CPU. These boards can reliably restored to a good state. If they failed to use such, that was irresponsible of them.

    • by eneville ( 745111 ) on Friday June 09, 2023 @01:49AM (#63587638) Homepage

      And failing that barracuda should accept devices back for exchange as they're a manufacturing failure at this point.

      • by AmiMoJo ( 196126 )

        Consumer rights laws generally don't protect businesses, at least not in the EU.

        Barracuda have their customers over a barrel here. They need to immediately replace this hardware, because it has been under active exploit for at least a year.

        The customer can either drop in another Barracuda product and be up and running again as quickly as possible, or try to do an unplanned, unscheduled migration to someone else's product.

        • The customer can either drop in another Barracuda product and be up and running again as quickly as possible, or try to do an unplanned, unscheduled migration to someone else's product.

          If the device is standards-based, it should be trivial to drop in another appliance. And it would be daft to choose the company that you know to be irresponsible and incompetent.

      • Exchange for what? Another vulnerable box? Everything they said on June 6 implies the backdoor is so low level that even wiping the box with a fresh install wont keep them out. That screams hardware/firmware. Do you remember that hubbub years back about a spy chip embedded on SuperMicro motherboards? What if china found a sneakier way to do this? Can you think of a better appliance to infect than one that scans all email? Fast forward to Oct 2022 and some blackhats discovered the back door and applied their
      • Who the hell is going to take this invitation to upgrade and buy the same crap all over again?

        Either Barracuda offer some serious concessions on the replacement hardware, or they're going to lose those customers forever. Surely almost no one is going to say "Hmm.... Barracuda - they seem like a safe bet, let's buy that!" when there are umpteen other choices available. Unless Barracuda are considerably cheaper than the alternatives, you'd need your head examining to replace like-for-like.

        • If barracuda do the same thing and offer a cleaned appliance for defective then who can argue? How they do that is another question.

    • Maybe you should have kept reading..

      The pivot from patch to total replacement of affected devices is fairly stunning and implies the malware the threat actors deployed somehow achieves persistence at a low enough level that even wiping the device wouldnâ(TM)t eradicate attacker access,â Condon wrote.

    • by thegarbz ( 1787294 ) on Friday June 09, 2023 @08:02AM (#63588278)

      "We believe most of our customers will just buy a new appliance from us and it's more ka-ching for us."

      Nice conspiracy theory, but Barracuda is replacing the devices free.

      • I'd rather pay the extra money and replace it with a component from a company that hasn't proven itself to be as incompetent.
        • And if you're looking for bug free perfect security you'll be looking for companies forever. Back in reality people spend their money based on vendor response to issues rather than kneejerk about a security bug.

          • And if you're looking for bug free perfect security you'll be looking for companies forever

            I never said that the replacement product had to have "bug free perfect security". Any company that didn't fuck up so badly that they needed to perform a full hardware replacement to resolve the issue would be a great starting point with many contenders.

            Back in reality people spend their money based on vendor response to issues rather than kneejerk about a security bug.

            A vendor's response to their issue is incredib

    • reimage the HD

      Okay stop, please. Users do not have access to the device in the level your required solution needs. Barracuda has already tried resolving the issue and it is persistent. As such they advise rip and replace (with hardware they are providing for free). Stop making assumptions that relate to a fully owned computer. This is not a computer. It's an edge appliance. Users don't even have SSH access much less the ability to image the HD.

    • Of course it can be fixed with software. I skimmed the CVE. There's no mention of UEFI or BIOS.

      Just because they're not mentioning it, that doesn't mean it's safe. I read the entire CVE and notice page, which only took a couple of minutes. Since May 23rd, Barracuda has been recommending installing a patch to remedy the situation and providing the information needed to identify infection with known malware. Then suddenly on June 6th, they changed their tune to "replace all the hardware regardless of patch level" without explanation. To me this means that they have detected a persistent rootkit that ca

    • "I skimmed the CVE. There's no mention of UEFI or BIOS."

      Don't assume that the description is complete. Vendors often omit significant details from CVE descriptions.

    • Spoken by a true tier 1 help-desk tech.
      This is a network appliance not a PC, it in no way functions like a PC. Nothing your spitballing has anything to do with reality.

      The takeaway is if your dumb enough to buy Barracuda hardware on the cheap you deserve this.

    • Re: (Score:2, Interesting)

      by poptix ( 78287 )

      The motherboards they put in these appliances are so old that they don't even have UEFI.

      They're MSI MS-7680 motherboards from 2011 or so, 2GB of RAM and some crap drives. They sell them for thousands of dollars, then they sell you 'energize updates' (virus/spam definitions) and 'instant replacement' (they'll ship you replacement hardware) as a subscription.

      Like everyone else, they really want you to switch over to their cloud appliance that is much more profitable to them. This is a cash grab.

  • by beheaderaswp ( 549877 ) * on Thursday June 08, 2023 @11:29PM (#63587474)

    I'm speaking in general terms so I'm not identified.

    Sadly, the sole method of knowing you have been compromised is through a banner, in red, presented when you login in to the Barracuda web interface.

    Barracuda provided signatures to detect the altered binaries- but removed ssh access to their hardware appliances some time back. So if you own a hardware appliance you are essentially phucked trying to determine what is going on.

    If you don't see the banner apparently you are not compromised. Yea right. The first thing an attacker will do is disable the banner.

    This may be a bigger problem than is currently recognized.

    • That is what it sounds like to me-- essentially a complete failure of their system. "Oh, but a new one won't have this problem..."

    • by Bert64 ( 520050 )

      Barracuda provided signatures to detect the altered binaries- but removed ssh access to their hardware appliances some time back.

      Exactly this, the attacker has full access to *YOUR* hardware, and you don't.

    • by ls671 ( 1122017 )

      but removed ssh access to their hardware appliances some time back.

      Wow! Amazing!

  • It really is disgusting that in the modern age when someone discloses a vulnerability this bad, the posters on boards such as this one jump to ask "who will pay" and "what about fitness and merchantability".

    How about asking HOW and WHY this came to be and how it can be prevented from the rest of the industry going forward. I realize it's become a weekend, but come on. Focus on the important stuff. "I have to throw out stuff; who will pay me?" comes a long line behind "How was this compromised so badly a

    • by gweihir ( 88907 ) on Thursday June 08, 2023 @11:54PM (#63587504)

      The solution is pretty clear and has been implemented numerous times in established engineering disciplines: You sell it, you assure fitness for purpose. It is defective by design, you become liable. Somebody works on it, they are either qualified engineers or technicians or you are grossly negligent.

      It is really not hard, but it will take a few more decades if other engineering disciplines are any indicator. At this time, our machines are powerful, flexible, unreliable and unsafe.

      • by jd ( 1658 )

        All non-trivial software is constrained by the limitations of what you can guarantee, vis the Halting Problem.

        However, you can certainly set a minimum standard by some metric (possibly defect density) and provide a limited guarantee of fitness for purpose.

        A true fitness for purpose would require the use of formal methods, which won't work on all problems but should work for a decent subset.

        • by gweihir ( 88907 )

          Nobody expects a formal proof of fitness for purpose. What is expected is that design and manufacturing methods and tests used ensure a high probability of fitness for purpose. You still become liable if it breaks, but if that is unlikely enough, it is not a relevant economic risk to your enterprise.

          Incidentally, you do not understand the halting problem. The halting problem only says that you cannot automatically determine all properties of all formal systems of type X using something that is also a formal

    • by sjames ( 1099 )

      It's really very simple. Hard earned money was handed to company. In return company handed over device with an implied warranty of fitness. Turns out it was not fit for purpose. Naturally customers want EITHER the device be made fit or the money returned.

      Barracuda instead wants to turn this into a profit center by selling more devices that we are supposed to believe really are fit THIS time.

      Exactly how to keep screw-ups this bad from happening again may not be entirely clear, but it is clear that making suc

      • If the replacement is free your whole theory goes out the window.

      • Uh, Barracuda *is* replacing them for free. From the article:
        "In a statement, Barracuda said it will be providing the replacement product to impacted customers at no cost, and that not all ESG appliances were compromised."
        You could have read the article before going on that rant.

        • by sjames ( 1099 )

          That's all fine then. Barracuda is encouraged to not make this error again to avoid the substantial cost involved. For once, the system works!

  • Fallback to power down, replace socketed boot-loader with "gold" bootloader ROM, and load all firmware images off-line ( no network connection ).
    Step 1 of "gold" bootloader requires a complete effective wipe of ALL internal memory: EEROM, RAM, NVRAM, etc.
    Step 2 is installation of virgin mass storage devices for any and all NV memory in the system, followed immediately by forced formatting of the virgin devices.
    Step 3 of bootloader is reimaging of system, and comparison of the result with stored replica of

    • But is this something you can ask of your customers? Just the amount of assistance you need to provide will be enormous. Shipping new appliances is probably more effective.

      • by Bert64 ( 520050 ) <bertNO@SPAMslashdot.firenzee.com> on Friday June 09, 2023 @02:49AM (#63587736) Homepage

        That comes down to the continued degradation of corporate IT.
        These are appliances aimed at enterprise customers, such customers *should* have their own IT department staffed by people who know what they're doing. Swapping a socketed component, wiping an EEPROM or formatting some drives should not be difficult for someone who's role supposedly involves managing computers.

        But we've got to a level where the average IT department consists of people who open boxes and follow the "quick start guide", then defer to external support if they ever get stuck.
        Generally people who do know what they're doing won't be very happy about deploying a black box appliance that they only have superficial access to.

        • All too true, sadly.

          In early days of my career I had my choice of super geniuses for every role.

          By the time I retired the kids coming in could barely do anything IT and sure as hell couldn't code -anything-.

        • by hoofie ( 201045 )

          The outsourcing of core competencies has destroyed that. The big Tier1 provider you engaged at Mega dollars is built on lots of offshore workers who are ok at relatively mundane work but when the really difficult problems crop up fail because the experts have already moved to more lucrative roles.

          Also everything is handed over to the Vendors as "their problem" but the gap hits when the Vendor cannot provide that level of expertise which is becoming more common because of my first point.

  • Barracuda's recommendation at this time is full replacement of the impacted ESG

    CEO needs a new yacht!

  • 1. There's no rigour in software development, outside of formal methods.

    In consequence, code is written in a rather slapdash way of code now, fix later. High quality writing is simply not considered. (The Linux kernel has a very low defect density, but it's still far too high for any mission-critical purpose.) We need something that lies between formal methods (which are too strict for many situations, and which can't be used in some cases) and modern coding practices.

    2. Completely correct code is only poss

  • Once again this is a Windows only product:

    https://campus.barracuda.com/product/pstenterprise/doc/41115696/step-1-system-requirements/

    I really wish people who submit these articles indicate which OS these products run on.

  • Airports (Score:4, Informative)

    by CohibaVancouver ( 864662 ) on Friday June 09, 2023 @07:15AM (#63588164)
    I remember 15-20 years ago every American airport I passed through was FULL of Barracuda ads. On the jet bridges, hanging in the terminals, on the baggage carousels - From Denver to Miami to Seattle to everywhere in between. Their ad-spend must have been monumental.

    https://i.pinimg.com/564x/1f/7... [pinimg.com]
    • I remember that as well and they were really good ads. I suspect they moved a lot of product.
  • by RonVNX ( 55322 ) on Friday June 09, 2023 @11:34AM (#63589000)

    If you're still using their products, given it's widely known for decade(s) that they're unhelpful garbage, you deserve what you get.

  • If they're not giving replacements for free you might as well go buy from someone else.

Different all twisty a of in maze are you, passages little.

Working...