Cybersecurity experts at Barracuda recently discovered and patched a high-severity vulnerability in several of its email security gateway (ESG) devices.
The flaw, tracked as CVE-2023-7102, is an Arbitrary Code Execution (ACE) vulnerability found in a third-party library called Spreadsheet::ParseExcel. This library is used by the Amavis virus scanner, within the ESG device, the experts said. By creating a custom Excel attachment, the attackers could exploit the flaw and run virtually any code unabated on the vulnerable device.
Together with Mandiant, Barracuda researchers concluded that the flaw was being exploited by a Chinese threat actor, tracked as UNC4841. This group has used the ACE flaw to drop new variants of SEASPY and SALTWATER malware.
Open source in danger
“On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG devices that showed indicators of compromise related to the newly identified malware variants,” the company said in an announcement. No action is required on the part of the user, Barracuda concluded, adding that investigation into the matter is still ongoing.
Although Barracuda has addressed the problem within its own ecosystem, the open source library remains vulnerable, the company points out. “For organizations using Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and taking appropriate remedial action immediately,” the report concluded.
This isn't the first time Barracuda's ESG devices have been targeted by UNC4841, BleepingComputer remembers. In May, the group exploited another zero-day vulnerability, CVE-2023-2868, as part of its cyber espionage campaign. At the time, the company said the hackers had been exploiting the flaw for more than six months, using previously unknown malware. About a third of all targeted endpoints were owned by government agencies, Mandiant confirmed.
Barracuda claims to serve more than 200,000 organizations worldwide, including major brands such as Samsung, Mitsubishi and Delta Airlines.