Tuesday, June 6, 2023

Even security vendors get hacked

Barracuda Networks is a long-established security vendor (you've likely seen their billboards in airports).  As it turns out, their email security gateway has a vulnerability that the Bad Guys have been exploiting for months:

A critical remote command injection vulnerability in some Barracuda Network devices that the vendor patched 11 days ago has been exploited by miscreants – for at least the past seven months.

Barracuda said it discovered the bug, tracked as CVE-2023-2868, in its Email Security Gateway (ESG) appliance on May 19 and pushed a patch to all of these products globally the following day.

In a security alert posted on Tuesday, however, the vendor disclosed that the vulnerability was under active exploit long before the patch arrived. The flaw, which affects versions 5.1.3.001 to 9.2.0.006 of the ESG appliance, can and has been abused to run remote commands on targeted equipment, hijack them, and deploy data-stealing spyware on the boxes.

Clearly this is a major embarrassment for the company but it highlights just how hard security is to do correctly, year in and year out.  Consider:

  • Barracuda clearly has the security expertise needed to prevent this.
  • Barracuda clearly has a significant motivation to prevent this - they've taken some pretty major reputational damage here.

But it still happened.  It's happened to other security vendors before, and will happen to security vendors in the future because doing security properly is really, really hard.  The Bad Guys don't have to be perfect every single time - not by a long shot, but anyone playing defense against them sure does.

1 comment:

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.