CVE-2023-7102: A zero-day flaw affects Barracuda Email Security Gateway

CVE-2023-7101 - CVE-2023-7102
CVE-2023-7101 - CVE-2023-7102

In the intricate world of cybersecurity, Barracuda Networks has faced a formidable challenge with the discovery of two zero-day vulnerabilities, CVE-2023-7102 and CVE-2023-7101, both linked to the Spreadsheet::ParseExcel library. These vulnerabilities, stemming from an Arbitrary Code Execution (ACE) flaw in the third-party library Spreadsheet::ParseExcel, were cunningly exploited by the China nexus actor UNC4841. Barracuda, in collaboration with Mandiant, discovered that this vulnerability was used to target a limited number of their Email Security Gateway (ESG) devices with a malicious Excel email attachment.

The vulnerability, identified as CVE-2023-7102, stems from the open-source third-party library, Spreadsheet::ParseExcel, used in ESG’s malware protection features. This issue affects versions up to Barracuda ESG 9.2.1.001. The vulnerability allows remote execution of arbitrary code without authentication through specially crafted files attached to emails. A separate vulnerability, CVE-2023-2868, was identified in May in Barracuda ESG, necessitating caution due to differing vulnerabilities.

Barracuda has reported active attacks targeting CVE-2023-7102, linked to the China-associated group UNC4841, which was also involved in attacks exploiting CVE-2023-2868. In response, Barracuda swiftly deployed a security update on December 21, 2023, to all active ESGs, fortifying them against this ACE vulnerability. This proactive measure required no customer action and exemplifies Barracuda’s commitment to safeguarding its technology.

CVE-2023-7101 – CVE-2023-7102

However, the saga didn’t end there. Following the exploitation of CVE-2023-7102, Barracuda observed the deployment of new variants of SEASPY and SALTWATER malware on a few compromised ESG devices. To counter this, another patch was released on December 22, 2023, aimed specifically at remedying devices showing signs of these malware infections.

In a broader move to raise awareness, Barracuda also filed CVE-2023-7101, highlighting the ACE vulnerability in Spreadsheet::ParseExcel, which remains unpatched in the open-source library. This vulnerability poses a significant risk as it allows attackers to execute arbitrary code by manipulating Number format strings in Excel files.

“Spreadsheet::ParseExcel is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic,” reads the security advisory.

This case underscores the importance of continuous vigilance and rapid response in the cybersecurity realm. For organizations using Spreadsheet::ParseExcel, Barracuda’s findings serve as a crucial alert to review CVE-2023-7101 and implement necessary safeguards. Moreover, to assist in hunting for related UNC4841 activities, Barracuda has released Indicators of Compromise, equipping organizations with the tools to detect and thwart these sophisticated cyber threats.