Barracuda Networks has faced a formidable challenge with the discovery of two zero-day vulnerabilities, CVE-2023-7102 and CVE-2023-7101, that leads to an Arbitrary Code Execution (ACE) flaw in the third-party library Spreadsheet::ParseExcel,
The vulnerability was exploited by the China nexus actor UNC4841. Barracuda, in collaboration with Mandiant, discovered that this vulnerability was used to target a limited number of their Email Security Gateway (ESG) devices with a malicious Excel email attachment.
The vulnerability, identified as CVE-2023-7102, stems from the open-source third-party library, Spreadsheet::ParseExcel, used in ESG’s malware protection features. This issue affects versions up to Barracuda ESG 9.2.1.001. The vulnerability allows remote execution of arbitrary code without authentication through specially crafted files attached to emails. A separate vulnerability, CVE-2023-2868, was identified in May in Barracuda ESG, necessitating caution due to differing vulnerabilities.
Barracuda has reported active attacks targeting CVE-2023-7102, linked to the China-associated group UNC4841, which was also involved in attacks exploiting CVE-2023-2868 In response, Barracuda swiftly deployed a security update on December 21, 2023, to all active ESGs, fortifying them against this ACE vulnerability. This proactive measure required no customer action and exemplified Barracuda’s commitment to safeguarding its technology.
Following the exploitation of CVE-2023-7102, Barracuda observed the deployment of new variants of SEASPY and SALTWATER malware on a few compromised ESG devices. To counter this, another patch was released on December 22, 2023, aimed specifically at remedying devices showing signs of these malware infections.
Barracuda also filed CVE-2023-7101, highlighting the ACE vulnerability in Spreadsheet::ParseExcel, which remains unpatched in the open-source library. This vulnerability poses a significant risk as it allows attackers to execute arbitrary code by manipulating number format strings in Excel files.
This case underscores the importance of continuous vigilance and rapid response in the cybersecurity realm. For organizations using Spreadsheet::ParseExcel, Barracuda’s findings serve as a crucial alert to review CVE-2023-7101 and implement necessary safeguards. Moreover, to assist in hunting for related UNC4841 activities.
Indicators of Compromise
- 803cb5a7de1fe0067a9eeb220dfc24ca56f3f571a986180e146b6cf387855bdd
- 952c5f45d203d8f1a7532e5b59af8e3306b5c1c53a30624b6733e0176d8d1acd
- 952c5f45d203d8f1a7532e5b59af8e3306b5c1c53a30624b6733e0176d8d1acd
- 118fad9e1f03b8b1abe00529c61dc3edfda043b787c9084180d83535b4d177b7
- 34494ecb02a1cccadda1c7693c45666e1fe3928cc83576f8f07380801b07d8ba
