Barracuda Email Security Gateway Release Notes - Version 9.0

Please Read Before Updating

Before installing any firmware version, be sure to make a backup of your configuration and read all release notes that apply to versions more recent than the one currently running on your system.

Note that updating to this release may cause you to lose any patches that have been installed by Barracuda Networks Technical Support onto your system. Please check the version details below to verify that the bug number for your issue is marked as fixed in the version that you are trying to install (or an earlier one) prior to installing.

Do not manually reboot your system at any time during an update, unless otherwise instructed by Barracuda Networks Technical Support. Depending on your current firmware version and other system factors, the update process could take up to 10 minutes. If the process takes longer, please contact Technical Support for further assistance.

Before updating, BE SURE TO TAKE THE BARRACUDA EMAIL SECURITY GATEWAY OFFLINE. This will ensure that the inbound queue is emptied and all messages are scanned before the update process begins. See the BASIC > Administration page for the Offline button.

Updating to Version 9.x

WARNING: After clicking the Apply Now on the ADVANCED > Firmware Update page, the progress bar may appear to time out and the administrator may need to manually return to the login screen after 5 minutes if it doesn't load automatically in the browser.

Firmware Version 9.2

What's New in Version 9.2

Mail Processing

• When the Inbound External Sender Warning on the BASIC > Administration page is enabled, this feature now allows for customization of the header text added to inbound emails sent from external domains.

Web Interface

• Web interface and quarantine emails are now translated to Latvian and Slovak.

Vulnerability

• Updated to the latest in OpenSSL 1.1.1k. [BNSEC-9192]

Fixed in Version 9.2

• Fixed issue where false positives (inbound emails that are from internal domains being flagged as external) triggered external sender warnings. [BNSF-35503]
• To fix issue where large content filter values could result in deferred email without a listed reason, the content filter text input size is now limited to 6131 characters. An error message will indicate if this limit is exceeded. [BNSF-28938]
• When multiple emails are selected for redelivery, the body of each email has the correct contents. [BNSF-35455]

Version 9.2.1.002

Fixes:

• Fix for loading message body for emails that are stored in mstore [BNSF-36879]
• Fix for certificate validation issue [BNSF-36860]
• Fix for ParseExcel vulnerability [BNSF-36869][ CVE-2023-7102]

Version 9.2.1.001

Fixed vulnerabilities:

• Potential issue for XSS account parameter in Users > Account View. [BNSF-21438] [BNSEC-6279]
• Potential issue for BEAST attack on TLS has been addressed. [BNSF-20357] [BNSEC-1132] [CVE-2011-3389]
• Fix for XSS Stored XSS in the Domain Manager LDAP Function. [BNSF-25786 ] [BNSEC-6894]
• Fix for authenticated header injection in logexport.cgi. [BNSF-22647] [BNSEC-4772]
• Fix for root CA Stores. [BNSF-26110] [ BNSEC-7164]
• Potential vulnerability for XXE in Exchange Antivirus endpoints has been mitigated. [BNSF-25774] [BNSEC-6183]
• Potential issue with the sudoers has been fixed. [BNSF-25773] [BNSEC-1718]
• Open Source Samba Security Vulnerability has been addressed. [BNSF-35253] [CVE-2017-7494]
• Potential issue with jQuery Vulnerability has been mitigated. [BNSF-35946] [CVE-2020-11023]

Version 9.2.0.008

• Addresses CVE-2023-2868 [BNSF-36481]

Version 9.2.0.006

• Fixed issue where false positives (inbound emails that are from internal domains being flagged as external) triggered external sender warnings. [BNSF-35503]
• To fix an issue where large content filter values could result in deferred email without a listed reason, the content filter text input size is now limited to 6131 characters. An error message will indicate if this limit is exceeded. [BNSF-28938]
• When multiple emails are selected for redelivery, the body of each email has the correct contents. [BNSF-35455]

Firmware Version 9.1

What's New in Version 9.1

Authentication

• When a user receives a 'lockout' email after 5 failed login attempts, the email message from the Barracuda Email Security Gateway now shows the hostname from the Quarantine Host field on the BASIC > Quarantine page INSTEAD of the system IP address. If the Quarantine Host field is not configured, the email will instead use the Default Domain for the hostname. [BNSF-28981]
• New Verify LDAP Certificate setting on the Domains > Manage Domains > USERS > LDAP Configuration page to verify LDAP connections when using SSL/TLS. [BNSF-28895]

Web Interface

• New Supported SSL Protocols setting on the ADVANCED > Secure Administration page to indicate which TLS versions to support. [BNSF-28979]
• Replaced all references to Blocklist / Whitelist with Block List / Allow List. [BNSF-10230] [BNSF-35056]

Clustering

• Improved management of Quarantine inbox for clustered systems. [BNSF-35078]
• Added additional check to ensure that clustered devices cannot be upgraded/downgraded if they are not in Standby mode. [BNSF-28997]

Vulnerability

• Upgraded support for OpenSSL 1.1.1g. [BNSF-28929]
• Improved default TLS-over-SMTP security posture. [BNSF-34957]

Virtualization

• Enhancement: Tuned database configuration for Microsoft Azure and Amazon AWS. [BNSF-28861]

Version 9.1.0.002

• Scheduled automated reports on the BASIC > Reports page send successfully. [BNSF-35236]
• Synchronization between clustered systems works as expected. [BNSF-35240]
• Fixed an edge case leading to a malformed email when Inbound External Sender Warning is enabled. [BNSF-35170]
• Quarantined emails that have wide characters in the subject line are delivered successfully. [BNSF-35238]

Version 9.1.0.001

• Fixed an issue with SNMP agent not starting after firmware upgrade. [BNSF-28957]
• Fixed an issue related to messages failing to delete through Advanced > Queue Management. [BNSF-28942]
• Fixed an issue related to pop-up not working for Secondary Authorization on the BASIC > Administration page. [BNSF-35122]

Firmware Version 9.0

What's New in Version 9.0

Web Interface

• Drop-down Help button control on some web interface pages, providing links to relevant Barracuda Campus articles for additional information about features configured on those pages.
• On the BASIC > IP Configuration page, Trusted Forwarder has been renamed Known Forwarder.
• Firmware Patches option for pushing product/security patches to the Barracuda Email Security Gateway on ADVANCED > Firmware Update page.
• Uptime - Display of uptime of the Barracuda Email Security Gateway in days, hours, and minutes in the System Management section of the BASIC > Administration page.

Mail Processing

• Block Macros enhancement - This feature now exempts whitelisted senders. See the BLOCK/ACCEPT > Attachment Filters page.
• Inbound External Sender Warning - Ability to enable external sender warning for inbound emails on BASIC > Administration page. [BNSF-28378]
• Improved Spam protection.
• Added support to block RAR 5.0.
• Sender spoofing settings of child domains are now independent of the parent domain.
• Improved sender whitelisting to avoid spam though sender spoofing.

Authentication

• SSL/TLS Mode option - Supports LDAPS for SMTP AUTH requests. Configure on the LDAP tab of BASIC > Outbound page.

Message Log

• Re-delivery log entry added to the Message Log when a blocked message is manually delivered by the administrator.

Security

• Ability to store trusted CA. [BNSF-27319]
• Improvements for backup through FTP: Added support for FTPSSL session reuse.[BNSF-28711]
• CVE-2016-5385 : HTTPoxy. [BNSF-25943]
• Message Log P-XSS - malicious PTR record affects N/A. [BNSF-26827]
• Upgraded Jquery library - CVE-2015-9251 [BNSF-28117]
• Vulnerability: BCrypt support [BNSF-20799]
• Vulnerability: Login susceptible to directory harvesting. [BNSF-22574]
• Vulnerability: Avoid potential leaking of blind carbon copied email addresses. [BNSF-28723]
• Added support for TLSv1.3 over SMTP and HTTPS by default for Barracuda Email Security Gateway.

Fixed in Version 9.0

• Fixed high severity vulnerability: Upgraded OpenSSL, addressed the following CVEs. (CVE-2019-1563, CVE-2019-1547, CVE-2019-1552). [BNSF-27318]
• Vulnerability: Fixed unauthenticated XSS attack via view_help.cgi [BNSF-22335]
• Vulnerability: Fixed data path based persistent XSS attack through Message Log. [BNSF-26827]
• Vulnerability: Fixed unauthenticated remote command execution on Barracuda Email Security Gateway. [BNSF-27738]
• Misspelled password in 'Dansk' language on login page. [BNSF-28012]

Version 9.0.0.005

• Fixed issue in which the Message Log did not load through Barracuda Appliance Control in some scenarios. [BNSF-29802]
• Fixed error in Syslog start-up in some cases. [BNSF-28904]

Version 9.0.0.004

• Improved help documentation for secure integration of the Barracuda Email Security Gateway with other servers. [BNSF-28817]
• Fixed issue where Barracuda Support could not access the Barracuda Email Security Gateway when the Administrator IP/Range was configured on the BASIC > Administration page. [BNSF-28871]

Version 9.0.0.003

• Fixed: Peer Cert verification to enable encryption for outbound email. [BNSF-28842]
• Vulnerability fix: TLS connection for outbound emails. [BNSF-28837]
• Fixed: Issue related to purging emails. [BNSF-28841]

Version 9.0.0.002

• Improvement: Improved Spam Scanning. [BNSF-28802]
• Improvement: When Inbound External Sender Warning is set to Yes on the BASIC > Administration page, the associated warning message is added to each section of emails that have both a text/plain and a text/html body. [BNSF-28822]
• Fixed: Reverting from version 9.0 to earlier versions completes successfully. [BNSF-28802]
• Fixed issue with quarantine notification email for Japanese Language. [BNSF-28754]

Updating to Version 8.x

WARNING: After clicking the Apply Now on the ADVANCED > Firmware Update page, the progress bar may appear to time out and the administrator may need to manually return to the login screen after 5 minutes if it doesn't load automatically in the browser.

Firmware Version 8.2.0

What's New in Version 8.2

• Improved support for Support Tunnel 2.0.

Version 8.2.0.002

Security

• Resolved Brazil Daylight Savings Time Zone issue. [BNSF-28612]

Version 8.2.0.001

Security

• Resolved XSS vulnerability for Message Log view. [BNSF-28394]
• Resolved vulnerability related to LDAP bind password being exposed. (R7-2019-39). [BNSF-28578]
• Improved support for SMB 2.0 backups. [BNSF-28514]

Firmware Version 8.1.0

Version 8.1.0.005

Web Interface

• Resolved compatibility issues with older kernels. [BNSF-28561]

Version 8.1.0.004

Security

• Fixed medium severity vulnerability: Updated OpenSSL to address CVE-2017-3736 with OpenSSL upgrade.

Version 8.1.0.003

Security

• Support for SMB 2.0 and 3.0 for backup. [BNSF-26803]

Version 8.1.0.002

Authentication

• New option on BASIC > Quarantine page to enable/disable SSO/auto-login for users through links in Quarantine summary emails. [BNSF-27803]
• New option to disable default LDAP filters used for authenticating the user on USERS > LDAP Configuration page at the Domain level. [BNSF-27992]

Security

• Support for support tunnel version 2.0 [BNSF-27807]
• Updated root CA certificates [BNSF-27930]
• Spam accuracy improvements [BNSF-28017]

Web Interface

• Extended Malware Subscription information is no longer displayed on the BASIC > Dashboard page. [BNSF-27935]
• The Outbound Quarantine feature is now available for Barracuda Email Security Gateway model v100. [BNSF-27796]

Firmware Version 8.0

What's New in Version 8.0

Web Interface

• The Barracuda Spam Firewall has been renamed the Barracuda Email Security Gateway.

Barracuda Exchange Antivirus Agent

• The Barracuda Exchange Antivirus Agent no longer supports Microsoft Exchange Server 2007. See How to Get and Configure Barracuda Exchange Antivirus Agent 8.x.

Fixed in Version 8.0

Version 8.0.4.002

Security

• Upgraded SAVAPI version to continue support for 'Extended Malware Protection'. [BNSF-27814]

Version 8.0.4.001

Authentication

• Feature: LDAP/RADIUS/POP single sign-on (SSO) users can use their local password when logging into the Barracuda Email Security Gateway. [BNSF-27556]

Mail Processing

• Option to disable TLS 1.0 over SMTP through Barracuda Email Security Gateway web interface to conform to PCI standards of TLS 1.1+. [BNSF-27561]

Message Log

• Improvement: Added a popup to indicate that only 10k messages lines from the Message Log can be exported when the Barracuda Email Security Gateway is clustered. [BNSF-27650]

Security

• Resolved vulnerability with 7zip file compression (CVE-201810115). [BNSF-27684]

Version 8.0.3.004

• Fix: Resolved issue where marking email as not spam in quarantine did not auto deliver when logged in as user. [BNSF-27442]

Version 8.0.3.003

• Feature: Active session tokens are now transmitted via cookies, rather than in a URL. This means that end-users will no longer be able to click on a link in the quarantine summary email to log directly into a quarantine inbox without the use of a password. [BNSF-26659]

Version 8.0.3.002

• Fix: Resolved issue that affected mail processing after upgrading the firmware. [BNSF-26691]

Version 8.0.3

Barracuda Outlook Add-in

• Enhancement: Added support for TLS 1.1 and TLS 1.2. [BNSF-25586]

Notifications

• Enhancement: The system administrator and email recipient can receive notifications when a message is blocked due to a virus. Configure on the ADVANCED > Bounce/NDR Settings page. [BNSF-25486]

Mail Processing

• Improved spam scanning. [BNSF-26591]

Version 8.0.2

Barracuda Exchange Antivirus Agent

• Enhancement: Added support for Microsoft Exchange 2016.

Web Interface

• Fix: A Welcome email is not sent when a new user account is created due to a quarantined email. [BNSF-25904]

Security

• High severity vulnerability: authenticated, remote code injection [BNSEC-6613 / BNSF-25407]
• High severity vulnerability: unauthenticated, remotely exploitable, code injection [BNSEC-6223 / BNSF-24618]
• High severity vulnerability: remotely exploitable, buffer overflow [BNSEC-2012 / BNSF-24897]
• Medium - High severity vulnerability: unauthenticated, remotely exploitable, denial of service (DoS), ssl weakness [BNSEC-7107 / BNSF-25937]
• Medium - High severity vulnerability: unauthenticated, remotely exploitable, limited HTML content control, XSS delivered outside of the web based interface [BNSEC-6227 / BNSF-24635]
• Medium - High severity vulnerability: unauthenticated, remotely exploitable [BNSEC-6225 / BNSF-24621]
• Medium severity vulnerability: non-persistent XSS [BNSEC-2678 / BNSF-23507]

Version 8.0.1.001

Mail Processing

• Enhancement: Mail with Microsoft Office attachments that contain macros can be blocked. Configure on the BLOCK/ACCEPT > Attachment Filters page. [BNSF-23786]

Web Interface

• Fix: Resolved issue which prevented the Dashboard from displaying during update server outages. [BNSF-25934]
• Fix: Resolved issue preventing access to the ADVANCED > Energize Updates and the ADVANCED > Firmware Update pages when the Barracuda Email Security Gateway was offline. [BNSF-25929]

Barracuda Exchange Antivirus Agent

• Enhancement: The Barracuda Exchange Antivirus Agent supports Microsoft Exchange Server 2016. [BNSF-25828]

Version 8.0.0.007

Mail Processing

• Enhancement: Improved Sender Spoof Protection efficiency. [BNSF-25835]
• Resolved issue which could cause excessive system load. [BNSF-25831, BNSF-25884]
• Resolved issues with malformed headers causing incorrect parsing. [BNSF-25836, BNSF-25838]
• Resolved issue with Multi-Level Intent Analysis. [BNSF-25907]

Clustering

• Improved handling of Standby mode in a clustered system. [BNSF-25797]

Version 8.0.0.005

Mail Processing

• Outbound messages from whitelisted IP addresses are now properly checked for encryption if encryption is enabled. [BNSF-25732]
• Links in the BASIC > Message Log message view page now work properly. [BNSF-22345]

Version 8.0.0.003

Mail Processing

• Improved attachment filtering/detection. [BNSF-25491]

Version 8.0.0.002

Mail Processing

• Downloading a PDF file attached to a message from the Message Log through BAC/BCS works as expected. [BNSF-25536]
• Attachment filtering blocks correctly even if MIME type encoding is not formatted correctly. [BNSF-20598]
• Messages received by the Barracuda Email Security Gateway which are just under the maximum message size are processed properly and are not blocked. [BNSF-25500]
• When the From header of a message has an unusual format, the unit does not time out when attempting to deliver the message from the user's quarantine inbox. [BNSF-25254]
• SMTP over TLS for outbound mail works as expected, the mail queues and delivers properly and the logs do not indicate errors. [BNSF-25437]
• Outbound quarantine emails with multi-line From headers due to UTF8 are delivered as expected. [BNSF-25309]

Notifications

• The Barracuda Email Security Gateway no longer sends out notifications that state "Encrypted email unable to be delivered" for emails that trigger encryption policies and have a blank sender. [BNSF-17895]
• Alert email announcing that Energize Updates subscription is about to expire is now branded correctly as Barracuda Email Security Gateway. [BNSF-25615]
• NDRs are not rejected by some mail servers, including O365, if they don't include a valid From header. [BNSF-25612]

Web Interface

• The Configuration Updated message only shows on web interface pages as needed. [BNSF-25566]
• Street Address and Driver's License information in emails trigger Privacy policies as expected. [BNSF-24772]
• When specifying a filename for an attachment content filter, the pattern specified (filename= ) works when there is a space between the "= " and the filename. [BNSF-25491]

Security

• High severity vulnerability: persistent XSS, authenticated [BNSEC-6504 / BNSF-25215, BNSEC-4551 / BNSF-22345]

Version 8.0.0.001

Mail Processing

• Enhancement: Improved performance of IP Whitelisted and outbound message scanning. [BNSF-23352, BNSF-24293]
• Enhancement: Improved street address and driver's license detection. [BNSF-24388]
• Enhancement: Improved error handling for 'full disk' condition. [BNSF-24622]
• Enhancement: Added macro support for SPF records with macros. [BNSF-24659]
• Enhancement: Improved general performance of mail scoring and attachment scanning. [BNSF-24473]
• Enhancement: General improvements in PDF processing capabilities. [BNSF-24846]
• Enhancement: Improved HIPAA and Credit Card data detection. [BNSF-25026, BNSF-25028]
• Fix: Updated internal scanning processes to improve stability. [BNSF-21928, BNSF-24241, BNSF-25268]
• Fix: Resolved intermittent PTR detection issue. [BNSF-24546]
• Fix: Users who lack a mail attribute in LDAP are now properly quarantined. [BNSF-25136]
• Fix: LDAP Alias re-writing no longer rewrites the "To" header. [BNSF-25141]
• Fix: Lines exceeding 990 characters are no longer broken in multiple places. [BNSF-25206]

Web Interface

• Enhancement: Administrative ACLs can be temporarily removed through the Console Administrator with the System > Reset Administrator IP/Range selection. [BNSF-23352]
• Enhancement: Invalid username and password attempts are now logged to the Web Syslog. [BNSF-24629]
• Enhancement: Improved performance of bulk classification of Spam/Not Spam. [BNSF-25000]
• Enhancement: Messages with unknown character sets are now treated as UTF-8. [BNSF-25086]
• Enhancement: Updated Japanese help file translations. [BNSF-25088]
• Enhancement: Improved web interface load times in general, and especially for BASIC > IP Configuration. [BNSF-25193, BNSF-25199]
• Fix: Message viewer Download and Delivery buttons now show properly for all window sizes. [BNSF-24177]
• Fix: Miscellaneous web interface improvements. [BNSF-24300, BNSF-24381]
• Fix: New user quarantine email links now work properly. [BNSF-24404]
• Fix: Users with an '&' in the name can now view the Quarantine Inbox. [BNSF-24764, BNSF-24961]
• Fix: Outbound Quarantine actions no longer result in an error page. [BNSF-24858]
• Fix: Invalid users can be removed. [BNSF-24860]
• Fix: Randomization has been improved for password generation. [BNSF-24995]
• Fix: The details for messages blocked without message bodies can now be viewed on all systems in a cluster. [BNSF-24973, BNSF-25053]

Reporting

• Fix: Fixed display of erroneous 'Permission denied'. [BNSF-24600]
• Fix: LDAP Failure Notifications are no longer triggered by outdated logs. [BNSF-25180]

Encryption

• Fix: Replies to encrypted emails are now archived. [BNSF-24496]

Virtualization

• Enhancement: Tuned database configuration for Microsoft Azure, Amazon AWS, and VMWare vCloud Air. [BNSF-24836]

Barracuda Outlook Add-in

• Fix: Resolved issue preventing Add-in authorization for some usernames. [BNSF-23766]
• Fix: Resolved issue which could cause the Add-in to appear in the wrong window. [BNSF-24585]
• Fix: The Add-in can now be used from an IP address in the Administration ACL IP Range. [BNSF-24759]

Security

• Fix: resolved the following vulnerabilities:
• High severity vulnerability: authenticated, remotely exploitable, arbitrary command execution [BNSEC-5205 / BNSF-23281]
• High severity vulnerability: unauthenticated, remotely exploitable, brute force, [BNSEC-5204 / BNSF-23282]
• High severity vulnerability: remotely exploitable, privilege escalation [BNSEC-5203 / BNSF-23285]
• Medium severity vulnerability: persistent XSS, unauthenticated, remotely exploitable [BNSEC-4622 / BNSF-24136]
• Medium severity vulnerability: non-persistent XSS, authenticated [BNSEC-3880 / BNSF-21745]
• Medium severity vulnerability: authenticated, insufficient authorization [BNSEC-2659 / BNSF-22336]
• Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-2055 / BNSF-21775]
• Low severity vulnerability: Some non-persistent cross-site scripting vulnerabilities have been fixed. [BNSEC-877 / BNCMN-132]
• Low severity vulnerability: non-persistent XSS, authenticated [BNSEC-228 / BNSF-18340]