CVE-2023-7102
📋 TL;DR
This vulnerability in Barracuda ESG Appliances allows parameter injection through a third-party Perl library (Spreadsheet::ParseExcel). Attackers can exploit this to execute arbitrary code on affected appliances. Organizations using Barracuda ESG Appliances versions 5.1.3.001 through 9.2.1.001 are affected.
💻 Affected Systems
- Barracuda ESG Appliance
📦 What is this software?
Email Security Gateway 300 Firmware by Barracuda
View all CVEs affecting Email Security Gateway 300 Firmware →
Email Security Gateway 400 Firmware by Barracuda
View all CVEs affecting Email Security Gateway 400 Firmware →
Email Security Gateway 600 Firmware by Barracuda
View all CVEs affecting Email Security Gateway 600 Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete appliance compromise, data exfiltration, lateral movement into internal networks, and persistent backdoor installation.
Likely Case
Unauthenticated attackers achieving remote code execution to deploy malware, steal credentials, or use the appliance as a foothold for further attacks.
If Mitigated
Limited impact if network segmentation isolates the appliance and strict access controls prevent exploitation attempts.
🎯 Exploit Status
Public proof-of-concept code exists and has been weaponized in real attacks. Exploitation requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 9.2.1.001 with vulnerable logic removed
Vendor Advisory: https://www.barracuda.com/company/legal/esg-vulnerability
Restart Required: Yes
Instructions:
1. Update Barracuda ESG Appliance to latest firmware version. 2. Reboot appliance after update. 3. Verify update completed successfully.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to ESG appliance management interfaces
Use firewall rules to limit access to trusted IPs only
🧯 If You Can't Patch
- Immediately isolate the appliance from internet access and restrict to internal management networks only
- Implement strict network monitoring and alerting for any unusual traffic to/from the appliance
🔍 How to Verify
Check if Vulnerable:
Check appliance firmware version via web interface or CLI. If version is between 5.1.3.001 and 9.2.1.001 inclusive, it is vulnerable.Check Version:
ssh admin@esg-appliance 'show version' or check web admin interfaceVerify Fix Applied:
Verify firmware version is above 9.2.1.001 and check vendor advisory for specific fixed versions.📡 Detection & Monitoring
Log Indicators:
- Unusual Perl process execution
- Unexpected file creation in system directories
- Suspicious network connections from appliance
Network Indicators:
- Unexpected outbound connections from ESG appliance
- Traffic to known malicious IPs from appliance
SIEM Query:
source="barracuda-esg" AND (process="perl" OR event="file_creation" OR dest_ip IN [threat_intel_feed])🔗 References
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc
- https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171
- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md
- https://metacpan.org/dist/Spreadsheet-ParseExcel
- https://www.barracuda.com/company/legal/esg-vulnerability
- https://www.cve.org/CVERecord?id=CVE-2023-7101
- https://github.com/haile01/perl_spreadsheet_excel_rce_poc
- https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171
- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md
- https://metacpan.org/dist/Spreadsheet-ParseExcel
- https://www.barracuda.com/company/legal/esg-vulnerability
- https://www.cve.org/CVERecord?id=CVE-2023-7101
