CVE-2023-7102 Zero-Day: Barracuda ESG Struck Again, Update Urgently

A new zero-day vulnerability in Barracuda Networks’ Email Security Gateway (ESG) has been disclosed. The vulnerability, identified as CVE-2023-7102, stems from the open-source third-party library, Spreadsheet::ParseExcel, used in ESG’s malware protection features. This issue affects versions up to Barracuda ESG 9.2.1.001.

The vulnerability allows remote execution of arbitrary code without authentication through specially crafted files attached to emails. A separate vulnerability, CVE-2023-2868, was identified in May in Barracuda ESG, necessitating caution due to differing vulnerabilities. Barracuda has reported active attacks targeting CVE-2023-7102, linked to the China-associated group UNC4841, which was also involved in attacks exploiting CVE-2023-2868.

In response, Barracuda rolled out a security update on December 21 to all active ESGs to address CVE-2023-7102, automatically applied without requiring user intervention. However, the threat magnified with the discovery of new malware variants, SEASPY and SALTWATER, targeting the same ESG devices through this vulnerability.

Another significant vulnerability, CVE-2023-7101, affects the same Spreadsheet::ParseExcel library, used widely for parsing Excel files. Spreadsheet::ParseExcel is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

While Barracuda has patched its systems against CVE-2023-7102, CVE-2023-7101 remains a concern in the broader digital ecosystem, with no known remediation available for the open-source library as of the update.