So , they F** it up are they going to replace it at no cost , or is this just the latest ploy of corporations finding new markets to exploit?
Hay we could work with virus writes and get our latest range promoted...
Barracuda has now told customers to "immediately" replace infected Email Security Gateway (ESG) appliances — even if they have received a patch to fix a critical bug under exploit. The vendor disclosed the remote command injection bug, tracked as CVE-2023-2868 flaw last week, which affects versions 5.1.3.001 to 9.2.0.006 of …
The suggestion on another thread is that he firmware has been corrupted in a way that prevents it from being replaced. I imagine that this means the firmware has been corrupted to (a) Always allow new code to be installed silently, thus contiuing the intrusion, and (b) silently prevents any further update/downgrade/replacement of the firmware.
It has to be something pretty low level to force a full blown replacement of hardware units.
Instead of Halt and catch fire, this is more halt and be incinerated
There are many controllers that could be infected, if it was only a drive, it would be an easy fix. "Every chip that has writeable memory" is a potential harbor for malware. It's likely they know what part(s) is infected and it's more work (labor time) to access pull the components, than the cost of replacing the unit.
A security appliance designed to secure networks becomes a security hazard itself. Who would've thought...
Tear out Barracuda's stuff and junk them. Replace them with someone's that knows how to make a secure appliance.
I'll bet Barracuda's management will put the company up for sale to a competitor, cashing in a nice bonus to boot.
"Tear out Barracuda's stuff and junk them. Replace them with someone's that knows how to make a secure appliance"
Whose, for example? There seems not to be a single vendor that can be relied on to deliver vulnerability-free code. Huawei has taken the public hammering for lousy code, but I bet they're no worse than any other vendor.
The only potential solution at present is defence in depth using kit from multiple vendors, although that's also suspect as they may well use the same buggy O/S libraries. Until the quality of software development reaches adequate standards, no real defence is possible.