Barracuda ESG Appliance Vulnerability - 20231228001¶
Overview¶
Barracuda has determined that a threat actor has utilized an Arbitrary Code Execution (ACE) vulnerability within a third party library Spreadsheet::ParseExcel to deploy a specially crafted Excel email attachment to target a limited number of Email Security Gateway (ESG) devices. Spreadsheet::ParseExcel is an open source library used by the Amavis virus scanner within the ESG appliance.
Barracuda, working in collaboration with Mandiant, assesses this activity is attributable to continued operations of the China nexus actor tracked as UNC4841.
What is the vulnerability?¶
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2023-7102 | TBA | Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic. |
Noted IOCs¶
To assist organizations with hunting activity related to this activity, Barracuda have released the following Indicators of Compromise (IOCs) at the time of writing:
IP(s)¶
| IP Address | ASN | Location |
|---|---|---|
| 23.224.99.242 | 40065 | US |
| 23.224.99.243 | 40065 | US |
| 23.224.99.244 | 40065 | US |
| 23.224.99.245 | 40065 | US |
| 23.224.99.246 | 40065 | US |
| 23.225.35.234 | 40065 | US |
| 23.225.35.235 | 40065 | US |
| 23.225.35.236 | 40065 | US |
| 23.225.35.237 | 40065 | US |
| 23.225.35.238 | 40065 | US |
| 107.148.41.146 | 398823 | US |
Host IOCs¶
| Malware | MD5 Hash | SHA256 | File Name(s) | File Type |
|---|---|---|---|---|
| CVE-2023-7102 XLS Document | 2b172fe3329260611a9022e71acdebca | 803cb5a7de1fe0067a9eeb220dfc24ca 56f3f571a986180e146b6cf387855bdd | ads2.xls | xls |
| CVE-2023-7102 XLS Document | e7842edc7868c8c5cf0480dd98bcfe76 | 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd | don.xls | xls |
| CVE-2023-7102 XLS Document | e7842edc7868c8c5cf0480dd98bcfe76 | 952c5f45d203d8f1a7532e5b59af8e330 6b5c1c53a30624b6733e0176d8d1acd | personalbudget.xls | xls |
| SEASPY | 7b83e4bd880bb9d7904e8f553c2736e3 | 118fad9e1f03b8b1abe00529c61dc3edf da043b787c9084180d83535b4d177b7 | wifi-service | x-executable |
| SALTWATER | d493aab1319f10c633f6d223da232a27 | 34494ecb02a1cccadda1c7693c45666e1 fe3928cc83576f8f07380801b07d8ba | mod_tll.so | x-sharedlib |
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 Hours... (refer Patch Management):