Following recent disclosures by Barracuda Networks, Chinese threat actor UNC4841 exploited a new zero-day vulnerability (CVE-2023-7102) in Barracuda’s Email Security Gateway (ESG) appliances, targeting a limited number of devices with backdoors. This is the second zero-day vulnerability found in Barracuda ESG appliances within the past 6 months, with CVE-2023-2868 having been disclosed in August.
Here’s what you need to know:
CVE-2023-7102 at a glance
| Affected products: | Barracuda Networks’ Email Security Gateway (ESG) appliances |
| Product category: | Email/Network Security |
| Severity: | High (Given the ability to perform remote code execution) |
| Type: | Remote Code Execution (RCE) / Zero-day Exploit |
| Impact: | Confidentiality (Low) |
| PoC: | Yes |
| Exploit in the wild | Yes |
| CISA Catalog | No |
| Remediation action | Update to Security update automatically deployed on December 21, 2023 Users of the unpatched Spreadsheet::ParseExcel Perl module (version 0.65) also need to take remedial actions. |
| MITRE advisory |
What is CVE-2023-7102?
The vulnerability, tracked as CVE-2023-7102, involves arbitrary code execution in Barracuda’s ESG appliances through a zero-day flaw in the Spreadsheet::ParseExcel Perl module used by the Amavis scanner. When triggered via a specially crafted Microsoft Excel email attachment, the flaw allows attackers, identified as UNC4841, to deploy new variants of SEASPY and SALTWATER implants, enabling persistence and command execution capabilities on compromised devices.
Does CVE-2023-7102 affect me?
Yes, the CVE-2023-7102 vulnerability impacts Barracuda ESG appliances, targeting Microsoft Excel email attachments. Barracuda swiftly responded by automatically deploying a security update on December 21, 2023, and patching compromised devices to mitigate the risk posed by the newly identified malware variants.
Has CVE-2023–7102 been actively exploited in the wild?
UNC4841 initiated the exploitation of CVE-2023-7102, targeting various high-tech companies, information technology providers, and government entities, predominantly in the U.S. and Asia-Pacific regions, from around November 30, 2023. Mandiant’s investigation suggests UNC4841’s persistence and adaptability in targeting high-priority victims through new tactics, emphasizing the need for continuous monitoring.
How to fix CVE-2023-7102
Barracuda has released an automatic security update to remediate the CVE-2023-7102 vulnerability on December 21, 2023. Although the patch has been applied, downstream users relying on the unpatched Spreadsheet::ParseExcel Perl module (version 0.65) need to take necessary remedial actions to address the unpatched CVE-2023-7101 flaw.
Next steps
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
