This Week In Security: Barracuda, Zyxel, And The Backdoor

Barracuda’s Email Security Gateway (ESG) has had a vulnerability in it for years. Tracked as CVE-2023-2868, this one was introduced back in version 5.1.3.001, and only got patched during the 9.2 development cycle. Specific build information on patched firmware has not been made available, but a firmware build containing the patch was deployed on May 20.

The flaw was a command injection bug triggered by .tar files attached to incoming emails. The appliance scans attachments automatically, and the file names could trigger the qx operator in a Perl script. It’s a nasty one, ranking a 9.4 on the CVSS scale. But the really bad news is that Barracuda found the vulnerability in the wild, and they have found evidence of exploitation as far back as October 2022.

There have been three malware modules identified on the compromised appliances. SALTWATER is a backdoor trojan, with the ability to transfer files, execute commands, and host network tunnels. SEASPY is a stealthier module, that looks like a legitimate service, and uses PCAP to monitor traffic and receive commands. And SEASIDE is a Lua module for the Barracuda SMTP monitor, and it exists to host a reverse shell on command. Indicators of Compromise (IOCs) have been published, and Barracuda recommends the unplug-and-remove approach to cleaning up an infection. The saving grace is that this campaign seems to have been targeted, and wasn’t launched against every ESG on the Internet, so maybe you’re OK.

Moxa, Too

And speaking of security software that has problems, the Moxa MXsecurity appliance has a pair of problems that could be leveraged together to lead to a complete device takeover. The most serious problem is a hard coded credential, that allows authentication bypass for the web-API. Then the second issue is a command-line escape, where an attacker with access to the device’s Command Line Interface (CLI) can break out and run arbitrary commands.

And Zyxel

And while we’ve talked about this one before, if you have an unpatched Zyxel Firewall on the internet, you should just assume that it’s been compromised. It’s a command injection flaw that was patched in late April, and allowed a single malicious UDP packet to compromise the machine. In the month since then, this vulnerability has been added to the Mirai botnet, and it looks like quite a few have fallen. And if you patched the previous problems, don’t rest, as there have been another pair of CVSS 9.8 severity flaws.

Gigabyte’s Backdoor

But who needs malware when you have OEM’s like these? One of the scary scenarios is a machine’s firmware getting compromised, and that firmware dropping files into your system on boot. Far-fetched? Apparently that’s exactly what the official Gigabyte firmware does to launch the Gigabyte APP Center.

A multi-step process, starting in the board’s firmware, writes a Windows executable to disk and sets registries values to launch the executable as a service. That service downloads and executes an update from from Gigabyte, potentially loaded over an unencrypted HTTP connection. And the encrypted connection? Accepts a self-signed certificate. It looks like this functionality allows anyone that can pull off a Man-in-the-Middle (MitM) attack to run arbitrary code on the machine. Not to mention the possibility of compromising Gigabyte’s update server, and loading malware on a bunch of machines at once. The only saving grace is that this firmware function is disabled by default on most machines, but Eclypsium did discover the issue by finding it enabled in the wild, so some percentage of machines have it enabled.

This is obviously really bad. Gigabyte is working to get this updated, but a problem like this one will have quite the tail, given how rarely most of us install motherboard updates. The good news is that there haven’t been any attacks found in the wild. The bad news is that the details have all been released, so watch out for someone to try to take advantage of it.

Android App Gone Bad

The iRecorder app on Android was added to the Play Store mid 2021, and pretty much did exactly what it claimed — record the screen. Nearly a year later, the app was updated to 1.3.8, and added some less-wholesome capabilities. It suddenly could record audio, and upload it and other files to a Command and Control (C&C) server. The app was reported and yanked from the store, but it’s unclear who is responsible for the campaign. It’s surprising that a malicious app designer would wait that long to weaponize an app, which raises the suggestion that this could have been a supply chain attack. Someone could have hacked the developer, and pushed malicious code surreptitiously.

Bits and Bytes

Wireshark has a new release, and this one actually fixes some important security problems. We don’t think about it much since wireshark uses PCAP to capture packets, rather than receive them directly, but this software has a bunch of data parsers built in to it. And just like any other software, it only takes a simple mistake for something malicious to break the code behind a parser.

Nextcloud has a fun set of fresh vulnerabilities. A couple of them are relatively high severity, but the most amusing is a problem with logging out. Turns out that not all of the user’s local session data was neutralized when hitting the logout button, and so the next user to authenticate would be logged in as the previous account. Whoops.

And Libreoffice has had an update fixing two notable issues. The first is a floating frame feature, which displays content from a linked document. That frame was loading content without prompting the user, leading to some potential security mitigation bypasses. And the second, more serious problem, is an array index underflow when parsing a malformed spreadsheet formula. There isn’t a Proof of Concept released for this one, but the LibreOffice folks believe that arbitrary code execution is possible as a result. So go forth and update!

12 thoughts on “This Week In Security: Barracuda, Zyxel, And The Backdoor

    1. I have a Zyxel modem from my ISP. I tried firmware update direct from Zyxal but it was rejected probably because of custom firmware from my ISP. My ISP doesn’t have newer version.

    1. Don’t rush to attribute to malice what can be easily attributed to incompetence. They probably had some intern write it, and the intern hadn’t learned about SSL yet in their Intro to Computer Science class. They aren’t the only ones to do the stupid drop an exe and force windows to run it trick. ASUS does it too with their “ArmoryCrate” that does much the same sort of thing (and installs drivers too)

    2. “Absolute Home & Office” (previously known as “CompuTrace” and “LoJack for Laptops”) does the same. The idea is that, if your laptop gets stolen and the thief/new owner installs a fresh Windows OS, the agent will get re-installed during boot time. So the laptop can be traced and possibly recovered even if the agent got deleted by the new owner. Naturally, the buyer of the machine knows about that feature (it’s very clearly advertised), as the agent needs to be activated by a (paid) subscription.

  1. Libreoffice crashes so often, often in reproducable ways (on my machine only of course), that I wonder what a security analyst could unearth. For example, changing the min and max of a chart axis by entering numbers and pressing tab to go to the next field, rather than using the mouse.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.