Chinese Hackers Exploited New Zero-Day in Barracuda's ESG Appliances

Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoors on a "limited number" of devices.

Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel that's used by the Amavis scanner within the gateway. Successful exploitation of the new flaw is accomplished by means of a specially crafted Microsoft Excel email attachment.

Spreadsheet::ParseExcel is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

Barracuda said it released a security update that has been "automatically applied" on December 21, 2023, and that no further customer action is required.

Source: Barracuda Email Security Gateway Appliance (ESG) Advisory

Tags: #CyberSecurity #ZeroDayExploit #BarracudaESG #CVE-2023-7102 #EmailSecurity #Barracuda 🚨