Barracuda Urges Replacing - Not Patching - Its Email Security Gateways

[rleiker]

Hi Everyone,

For any who are using Barracuda's appliances, this article will be of interest:

https://krebsonsecurity.com/2023/06/bar ... -gateways/
It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

[BradC]

Whoops!

“Impacted ESG appliances must be immediately replaced regardless of patch version level,” the company’s advisory warned. “Barracuda’s recommendation at this time is full replacement of the impacted ESG.”

In a statement, Barracuda said it will be providing the replacement product to impacted customers at no cost, and that not all ESG appliances were compromised

At least they're standing by the product and providing no-cost replacement. They've also been pretty transparent with the vulnerabilities and process.

[rainer_d]

The devices (virtual or physical) had been pretty much abandoned. AFAIK they hadn't released updates in years. The spam-filter itself is also pretty much a joke. AFAIK, DKIM checking broke and had to be disabled.

On-premise spam-filtering is pretty much dead at this point. Everybody and their dog wants you to join their cloud-based spam-filter - which IMHO completely defeats the purpose of an on-premise mail-solution (though, TBF, a lot of people will be running Zimbra on rented (virtual) hardware in a DC somewhere.