CVE-2023-7102: 
Barracuda Email Security Gateway vulnerability analysis and mitigation

CVE-2023-7102 is a vulnerability in Barracuda Networks Inc.'s Email Security Gateway (ESG) Appliance that allows Parameter Injection through a third-party library. The vulnerability affects ESG Appliance versions from 5.1.3.001 through 9.2.1.001. The issue was discovered in December 2023 and is related to the use of Spreadsheet::ParseExcel library within the Amavis virus scanner component (Barracuda ESG, Hacker News).

The vulnerability stems from an arbitrary code execution (ACE) flaw within the third-party open-source library Spreadsheet::ParseExcel used by the Amavis scanner to screen Microsoft Excel email attachments for malware. Successful exploitation can be achieved through specially crafted Excel email attachments, requiring no user interaction. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code on affected systems through specially crafted Excel attachments. The execution occurs during the email scanning process without requiring any user interaction, making it highly impactful. The attack can lead to the deployment of malware variants including SEASPY and SALTWATER, which provide persistence and command execution capabilities (Hacker News).

Barracuda deployed a security update on December 21, 2023, that has been automatically applied to all active ESGs to address the ACE vulnerability. An additional patch was released on December 22, 2023, to remediate compromised ESG appliances showing indicators of compromise related to the newly identified malware variants. No customer action is required for these updates (Barracuda ESG).