Barracuda Email Security Gateway Appliance (ESG) Vulnerability
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 6d2af4b3-9618-4b11-951d-ab2fe11464ef |
| Fingerprint | e5cf98154c57e48c |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | May 30, 2023, 8:27 p.m. |
| Added to db | June 1, 2023, 11:11 a.m. |
| Last updated | Nov. 13, 2024, 12:28 p.m. |
| Headline | Barracuda Email Security Gateway Appliance (ESG) Vulnerability |
| Title | Barracuda Email Security Gateway Appliance (ESG) Vulnerability |
| Detected Hints/Tags/Attributes | 53/1/64 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://www.barracuda.com/company/legal/esg-vulnerability |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 3 | cve-2023-28681 |
|
| Details | CVE | 117 | cve-2023-2868 |
|
| Details | Domain | 5 | barracuda.com |
|
| Details | Domain | 3 | appcheck.sh |
|
| Details | Domain | 3 | aacore.sh |
|
| Details | Domain | 2 | xxl17z.dnslog.cn |
|
| Details | Domain | 2 | mx01.bestfindthetruth.com |
|
| Details | Domain | 1 | libbindshell.so |
|
| Details | Domain | 5 | status.barracuda.com |
|
| Details | Domain | 15 | www.barracuda.com |
|
| Details | 3 | support@barracuda.com |
||
| Details | 2 | compliance@barracuda.com |
||
| Details | File | 3 | install_helo.tar |
|
| Details | md5 | 5 | 827d507aa3bde0ef903ca5dec60cdec8 |
|
| Details | md5 | 3 | 4ca4f582418b2cc0626700511a6315c0 |
|
| Details | md5 | 4 | cd2813f0260d63ad5adf0446253c2172 |
|
| Details | md5 | 4 | 2ccb9759800154de817bf779a52d48f8 |
|
| Details | md5 | 4 | f5ab04a920302931a8bd063f27b745cc |
|
| Details | md5 | 5 | 177add288b289d43236d2dba33e65956 |
|
| Details | md5 | 4 | 881b7846f8384c12c7481b23011d8e45 |
|
| Details | md5 | 4 | 82eaf69de710abdc5dea7cd5cb56cf04 |
|
| Details | md5 | 4 | e80a85250263d58cc1a1dc39d6cf3942 |
|
| Details | md5 | 5 | 5d6cba7909980a7b424b133fbac634ac |
|
| Details | md5 | 4 | 1bbb32610599d70397adfdaf56109ff3 |
|
| Details | md5 | 4 | 4b511567cfa8dbaa32e11baf3268f074 |
|
| Details | md5 | 4 | a08a99e5224e1baf569fda816c991045 |
|
| Details | md5 | 4 | 19ebfe05040a8508467f9415c8378f32 |
|
| Details | md5 | 4 | 1fea55b7c9d13d822a64b2370d015da7 |
|
| Details | md5 | 4 | 64c690f175a2d2fe38d3d7c0d0ddbb6e |
|
| Details | md5 | 4 | 4cd0f3219e98ac2e9021b06af70ed643 |
|
| Details | md5 | 4 | 0d67f50a0bf7a3a017784146ac41ada0 |
|
| Details | sha256 | 3 | 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4 |
|
| Details | sha256 | 3 | 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 |
|
| Details | sha256 | 1 | fa8996766ae347ddcbbd1818fe3a878272653601a347d76ea3d5dfc227cd0bc8 |
|
| Details | IPv4 | 4 | 64.176.7.59 |
|
| Details | IPv4 | 4 | 64.176.4.234 |
|
| Details | IPv4 | 4 | 52.23.241.105 |
|
| Details | IPv4 | 2 | 23.224.42.5 |
|
| Details | IPv4 | 4 | 192.74.254.229 |
|
| Details | IPv4 | 4 | 192.74.226.142 |
|
| Details | IPv4 | 4 | 155.94.160.72 |
|
| Details | IPv4 | 4 | 139.84.227.9 |
|
| Details | IPv4 | 4 | 137.175.60.253 |
|
| Details | IPv4 | 4 | 137.175.53.170 |
|
| Details | IPv4 | 4 | 137.175.51.147 |
|
| Details | IPv4 | 4 | 137.175.30.36 |
|
| Details | IPv4 | 4 | 137.175.28.251 |
|
| Details | IPv4 | 4 | 137.175.19.25 |
|
| Details | IPv4 | 5 | 107.148.219.227 |
|
| Details | IPv4 | 4 | 107.148.219.55 |
|
| Details | IPv4 | 5 | 107.148.219.54 |
|
| Details | IPv4 | 5 | 107.148.219.53 |
|
| Details | IPv4 | 5 | 107.148.149.156 |
|
| Details | IPv4 | 5 | 104.223.20.222 |
|
| Details | IPv4 | 5 | 103.93.78.142 |
|
| Details | IPv4 | 5 | 103.27.108.62 |
|
| Details | Url | 3 | https://status.barracuda.com |
|
| Details | Url | 1 | https://www.barracuda.com/company/legal |
|
| Details | Yara rule | 1 | rule M_Hunting_Exploit_Archive_2 {
meta:
description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_tmp in (i * 512 .. i * 512 + 250) )
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Exploit_Archive_3 {
meta:
description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $b64_openssl in (i * 512 .. i * 512 + 250) )
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Exploit_Archive_CVE_2023_2868 {
meta:
description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and $ustar at 257 and for any i in (0 .. #ustar) : ( $qb at (@ustar[i] + 255) )
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Linux_Funchook {
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Linux_SALTWATER_1 {
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
condition:
filesize < 15MB and uint32(0) == 0x464c457f and any of them
} |
|
| Details | Yara rule | 1 | rule M_Hunting_Linux_SALTWATER_2 {
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*))
} |