Security vendor oops

I recently posted about the security appliance vendor Barracuda's woes, with a critical bug in their email security gateway appliance.  Well the problem is worse than people thought:

Despite pushing out patches addressing vulnerabilities in its Email Security Gateway (ESG) appliances in May, today Barracuda issued an urgent warning that all affected devices need to be taken offline and replaced immediately.

The ESG remote command injection vulnerability, tracked under CVE-2023-2868, was already under active exploit since October 2022, Barracuda said in its initial May 30 disclosure. A patch was released on May 20, but by June 6 it was determined the patch and subsequent script pushed out to counter unauthorized access weren't enough to secure impacted ESG devices, according to the advisory.

"Impacted ESG appliances must be immediately replaced regardless of patch version level," Barracuda warned its customers in an update. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG."

I'm struggling to think of another example of a security device that had to be junked after an incident.  I imagine that this isn't actually the first such incident, but no others come to mind.

Ouch.

Usually this sort of thing happens when a very old device reaches end-of-support/end-of-life.  At that point you've gotten your investment from the device and it's time to upgrade to something modern - but this cycle is often ten years.

To Barracuda's credit, they are shipping new devices to effected customers.