CVE-2023-7102: UNC4841 Targets Barracuda ESG
The Barracuda Email Security Gateway Appliance (ESG) Vulnerability security advisory highlights the ESG vulnerability CVE-2023-7102 that was discovered during an ongoing investigation.
Background:
This vulnerability in a third-party library allowed for arbitrary code execution (ACE) within a third-party library, Spreadsheet::ParseExcel which is utilized by the ESG appliance’s Amavis virus scanning. Investigations revealed that attackers, using specially crafted Excel files attached to emails, targeted a limited number of Barracuda ESG devices to deploy new variants of SeaSpy and SaltWater malware. Once a target receives an email with the malicious Excel attachment from UNC4841, the email is scanned by the Barracuda ESG appliance, thereby executing the malicious code contained in the Excel file. This requires no interaction from an end-user, making it highly impactful and effective. Working with Mandiant, Barracuda thinks that this conduct is a result of the China Nexus actor, tracked as UNC4841, continuing to operate. CVSSv2 gave the vulnerability a score of 7.5, and CVSS3 gave it an 8.8.CVE-2023-7102:
The use of a third-party Perl module called “Spreadsheet ParseExcel” by the Barracuda Email Security Gateway (ESG) Appliances’ “Amavis” virus scanner to parse Microsoft Excel files is the source of CVE-2023-7102. Since “Spreadsheet ParseExcel” evaluates string types and accepts unvalidated input from files, it is susceptible to arbitrary code execution. Because of this, attackers can execute any commands on the system that the “Spreadsheet ParseExcel” module uses to parse the Excel file. A Barracuda Email Security Gateway (ESG) Appliance that is susceptible to compromise can be compromised by a remote attacker who sends a malicious Excel file, giving the attacker the ability to execute arbitrary code on the ESG Appliance. The ESG Appliance’s “Amavis” virus scanner, which analyzes Excel files sent to emails using “Spreadsheet ParseExcel,” is what causes arbitrary code execution. The original flaw in the Spreadsheet::ParseExcel Perl module (version 0.65) remains unpatched and has been assigned the CVE identifier CVE-2023-7101, necessitating that downstream users take appropriate remedial action.The Barracuda Email Security Gateway (ESG) Appliance’s use of this unmaintained third-party component (“Spreadsheet ParseExcel”) has the following CVE entry: CVE-2023-7102.Recommendations:
All active Email Security Gateway (ESG) devices received a security update automatically from Barracuda; nonetheless, it is advisable to confirm that the version of the ESG software you are using is more recent than v9.2.1.001. Barracuda Networks has revealed indications of compromise which are also listed below, thus you must use them to look for any evidence of exploitation, as threat actors are known to take advantage of this vulnerability.IOCs:
Host IOCs
| Malware | MD5 Hash | SHA256 | File Name(s) | File Type |
|---|---|---|---|---|
| CVE-2023-7102 XLS Document | 2b172fe332 9260611a90 22e71acdebca | 803cb5a7de1fe006 7a9eeb220dfc24ca 56f3f571a986180e 146b6cf387855bdd | ads2.xls | xls |
| CVE-2023-7102 XLS Document | e7842edc78 68c8c5cf04 80dd98bcfe76 | 952c5f45d203d8f1 a7532e5b59af8e330 6b5c1c53a30624b6 733e0176d8d1acd | don.xls | xls |
| CVE-2023-7102 XLS Document | e7842edc78 68c8c5cf04 80dd98bcfe76 | 952c5f45d203d8f1 a7532e5b59af8e330 6b5c1c53a30624b6 733e0176d8d1acd | personalbudget.xls | xls |
| SEASPY | 7b83e4bd88 0bb9d7904e 8f553c2736e3 | 118fad9e1f03b8b1 abe00529c61dc3edf da043b787c908418 0d83535b4d177b7 | wifi-service | x-executable |
| SALTWATER | d493aab131 9f10c633f6 d223da232a27 | 34494ecb02a1ccca dda1c7693c45666e1 fe3928cc83576f8f 07380801b07d8ba | mod_tll.so | x-sharedlib |
Network IOCs:
| IP Address | ASN | Location |
|---|---|---|
| 23.224.99.242 | 40065 | US |
| 23.224.99.243 | 40065 | US |
| 23.224.99.244 | 40065 | US |
| 23.224.99.245 | 40065 | US |
| 23.224.99.246 | 40065 | US |
| 23.225.35.234 | 40065 | US |
| 23.225.35.235 | 40065 | US |
| 23.225.35.236 | 40065 | US |
| 23.225.35.237 | 40065 | US |
| 23.225.35.238 | 40065 | US |
| 107.148.41.146 | 398823 | US |