CVE-2023-7102: Barracuda Email Security Gateway (ESG) exploited, patches automatically applied by Barracuda

On December 24, Barracuda released a statement that a threat actor has been observed abusing a zero-day arbitrary code execution (ACE) vulnerability to target Barracuda Email Security Gateway (ESG) devices. According to their statement, Barracuda worked with Mandiant in their investigation and assess that the vulnerability was being abused by UNC4841, a People’s Republic of China (PRC) aligned threat actor who has been previously observed abusing CVE-2023-2868, a command injection vulnerability in ESG devices patched in May.

The new vulnerability, CVE-2023-7102 is an ACE vulnerability within a third party library, Spreadsheet::ParseExcel, which Barracuda states is used by the “Amavis virus scanner within the ESG appliance.” According to Barracuda, a fix for this vulnerability has been pushed automatically on December 21 and no action is required by ESG users.

Barracuda also notes that in their investigations, SEASPY and SALTWATER malware variants were discovered in their investigations on “a limited number of ESG devices.” Barracuda deployed a patch to clean up impacted ESG devices on December 22, 2023 and has provided indicators of compromise (IoCs) for those customers who wish to evaluate their devices for signs of compromise or the malware variants. 

At this time, it's unclear what version of ESG contains the patched update, as Barracuda simply states that these updates were pushed out automatically and no customer action is required. We would recommend clarifying with Barracuda support if you have an ESG device within your network, to ensure that you have the latest available patches.

It’s also worth noting that a second CVE, CVE-2023-7101 was issued for the more generic use of the Spreadsheet::ParseExcel Perl module, which is used for parsing Excel files. While we have not observed any updates to address the Perl module as of December 26, we anticipate patches for the library will be released in the coming days.

Tenable Research continues to monitor this situation for any additional updates. We also recommend reviewing our past blog on CVE-2023-2868, for information on plugin coverage for asset detection of ESG devices.