www.belgium.be Logo of the federal government

Warning: New Exploited Critical Vulnerability Found in Barracuda ESG Appliances, successful exploitation of CVE-2023-7102 could lead to RCE!

Reference: 
Advisory #2023-155
Version: 
1.0
Affected software: 
Barracuda Email Security Gateway Appliance (ESG) >= v5.1.3.001 and <= v9.2.1.001
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2023-7102: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://www.barracuda.com/company/legal/esg-vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-7102

https://www.tenable.com/cve/CVE-2023-7102

Risks

Barracuda Networks discovered an Arbitrary Code Execution (ACE) vulnerability in their Barracuda Email Security Gateway (ESG) Appliances. Successful exploitation of CVE-2023-7102 could allow attackers to remotely execute arbitrary commands on the ESG appliance, having a high impact on the full CIA-triad, by sending an email containing a malicious Excel-file to an ESG Appliance.

There is a proof-of-concept exploit publicly available for this vulnerability and it is already exploited by threat actors in the wild.

Description

CVE-2023-7102 resides within the use of a third-party Perl module “Spreadsheet ParseExcel”, which is used by the “Amavis” virus scanner in Barracuda Email Security Gateway (ESG) Appliances to parse Microsoft Excel files. “Spreadsheet ParseExcel” is vulnerable to arbitrary code execution due to passing unvalidated input from a file into a evaluating string-type. This allows attackers to run arbitrary commands on the system where the Excel-file is parsed using the “Spreadsheet ParseExcel” module.

When a remote attacker emails a malicious crafted Excel-file to a vulnerable Barracuda Email Security Gateway (ESG) Appliance, it allows the attacker to run arbitrary code on the ESG Appliance. The arbitrary code execution is triggered by the “Amavis” virus scanner within an ESG Appliance that uses the “Spreadsheet ParseExcel” to analyze the Excel-files attached to an email.

The vulnerability within the “Spreadsheet ParseExcel” module has the CVE entry: CVE-2023-7101. The use of this unmaintained third-party component (“Spreadsheet ParseExcel”) within Barracuda Email Security Gateway (ESG) Appliance has the CVE entry: CVE-2023-7102.

Barracuda Networks has worked together with Mandiant to investigate the exploitation of CVE-2023-7102 and they discovered that the vulnerability was exploited on a limited number of ESG devices to deploy new variants of the SEASPY and SALTWATER malware.

 

Recommended Actions

Patch

Barracuda automatically deployed a security update to all active Email Security Gateway (ESG) devices, but it is worth verifying if your ESG device is running a higher version than v9.2.1.001.

Monitor/Detect

Since the vulnerability is known to be exploited by threat actors, it is mandatory to check if you find any traces of exploitation using the indicators of compromise shared by Barracuda Networks on https://www.barracuda.com/company/legal/esg-vulnerability.

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, please report the incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md