Advisory December 27, 2023

Barracuda Vulnerabilities CVE-2023-7102 & CVE-2023-7101

The Obrela Threat Intelligence Team

Barracuda ESG Zero-Day Vulnerabilities CVE-2023-7102 and CVE-2023-7101

In recent developments, Barracuda Networks has uncovered and addressed two critical zero-day vulnerabilities, CVE-2023-7102 and CVE-2023-7101, within its Email Security Gateway (ESG) Appliance. These vulnerabilities, associated with the Spreadsheet::ParseExcel library, exposed Barracuda ESG devices to Arbitrary Code Execution (ACE) attacks orchestrated by the China Nexus actor UNC4841. The vulnerabilities allowed threat actors to exploit Barracuda ESG devices through malicious Excel email attachments, posing a serious security risk.

CVE-2023-7102: Barracuda ESG Vulnerability

The first vulnerability, CVE-2023-7102, was identified as an ACE flaw within the Spreadsheet::ParseExcel library, integral to Barracuda’s Amavis virus scanner in ESG appliances. UNC4841 exploited this vulnerability to execute arbitrary code within the ESG appliance, impacting versions from 5.1.3.001 to 9.2.1.001. The severity of this flaw warranted a CVSSv2 score of 7.5 and a CVSS3 score of 8.8.

CVE-2023-7101: Unpatched ACE Vulnerability in Spreadsheet::ParseExcel

In a broader move to raise awareness, Barracuda filed CVE-2023-7101 to address an unpatched ACE vulnerability in the open-source library Spreadsheet::ParseExcel. This vulnerability allows attackers to execute arbitrary code by manipulating Number format strings in Excel files, posing a significant risk.

Threat Actor and Malware Exploitation

The exploitation of CVE-2023-7102 was attributed to UNC4841 by Mandiant. UNC4841 is a threat actor that has been active since at least October 2022 across multiple industries and sectors. The group has been observed carrying out cyber espionage attacks in support of China. UNC4841 has also been linked to the exploitation of a remote command injection vulnerability (CVE-2023-2868) in a subset of Barracuda Email Security Gateway (ESG) appliances. In addition, during the investigation of the exploitation attempts, Barracuda detected new variants of SEASPY and SALTWATER malware on compromised ESG devices. UNC4841 relies mostly on backdoors such as SALTWATER, SEASPY, and SEASIDE to maintain presence, send emails and navigate the victim’s network.

Barracuda’s Response

Barracuda, in collaboration with Mandiant, promptly investigated and addressed CVE-2023-7102. A security update was deployed on December 21, 2023, fortifying all active ESGs against this vulnerability without requiring customer intervention. Additionally, responding decisively to the SEASPY and SALTWATER observations, a patch was deployed on December 22, 2023, to remediate devices showing signs of these malware infections. They also provided associated Indicators of Compromise (IoCs). At the time of this update, there is no known patch or update available to remediate CVE-2023-7101 within the open-source library.

Recommendations

  • Organizations using Spreadsheet::ParseExcel are urged to review CVE-2023-7101 and implement necessary safeguards.
  • Barracuda has released Indicators of Compromise to assist in detecting and thwarting UNC4841 activities related to these vulnerabilities.

References