Barracuda’s Email Security Gateway (ESG) has had a vulnerability in it for years. Tracked as CVE-2023-2868, this one was introduced back in version 5.1.3.001, and only got patched during the 9.2 development cycle. Specific build information on patched firmware has not been made available, but a firmware build containing the patch was deployed on May 20.

The flaw was a command injection bug triggered by .tar files attached to incoming emails. The appliance scans attachments automatically, and the file names could trigger the qx operator in a Perl script. It’s a nasty one, ranking a 9.4 on the CVSS scale. But the really bad news is that Barracuda found the vulnerability in the wild, and they have found evidence of exploitation as far back as October 2022.

There have been three malware modules identified on the compromised appliances. SALTWATER is a backdoor trojan, with the ability to transfer files, execute commands, and host network tunnels. SEASPY is a stealthier module, that looks like a legitimate service, and uses PCAP to monitor traffic and receive commands. And SEASIDE is a Lua module for the Barracuda SMTP monitor, and it exists to host a reverse shell on command. Indicators of Compromise (IOCs) have been published, and Barracuda recommends the unplug-and-remove approach to cleaning up an infection. The saving grace is that this campaign seems to have been targeted, and wasn’t launched against every ESG on the Internet, so maybe you’re OK.

Moxa, Too

And speaking of security software that has problems, the Moxa MXsecurity appliance has a pair of problems that could be leveraged together to lead to a complete device takeover. The most serious problem is a hard coded credential, that allows authentication bypass for the web-API. Then the second issue is a command-line escape, where an attacker with access to the device’s Command Line Interface (CLI) can break out and run arbitrary commands.

And Zyxel

And while we’ve talked about this one before, if you have an unpatched Zyxel Firewall on the internet, you should just assume that it’s been compromised. It’s a command injection flaw that was patched in late April, and allowed a single malicious UDP packet to compromise the machine. In the month since then, this vulnerability has been added to the Mirai botnet, and it looks like quite a few have fallen. And if you patched the previous problems, don’t rest, as there have been another pair of CVSS 9.8 severity flaws.

Gigabyte’s Backdoor

But who needs malware when you have OEM’s like these? One of the scary scenarios is a machine’s firmware getting compromised, and that firmware dropping files into your system on boot. Far-fetched? Apparently that’s exactly what the official Gigabyte firmware does to launch the Gigabyte APP Center.

A multi-step process, starting in the board’s firmware, writes a Windows executable to disk and sets registries values to launch the executable as a service. That service downloads and executes an update from from Gigabyte, potentially loaded over an unencrypted HTTP connection. And the encrypted connection? Accepts a self-signed certificate. It looks like this functionality allows anyone that can pull off a Man-in-the-Middle (MitM) attack to run arbitrary code on the machine. Not to mention the possibility of compromising Gigabyte’s update server, and loading malware on a bunch of machines at once. The only saving grace is that this firmware function is disabled by default on most machines, but Eclypsium did discover the issue by finding it enabled in the wild, so some percentage of machines have it enabled.

This is obviously really bad. Gigabyte is working to get this updated, but a problem like this one will have quite the tail, given how rarely most of us install motherboard updates. The good news is that there haven’t been any attacks found in the wild. The bad news is that the details have all been released, so watch out for someone to try to take advantage of it.

Android App Gone Bad

The iRecorder app on Android was added to the Play Store mid 2021, and pretty much did exactly what it claimed — record the screen. Nearly a year later, the app was updated to 1.3.8, and added some less-wholesome capabilities. It suddenly could record audio, and upload it and other files to a Command and Control (C&C) server. The app was reported and yanked from the store, but it’s unclear who is responsible for the campaign. It’s surprising that a malicious app designer would wait that long to weaponize an app, which raises the suggestion that this could have been a supply chain attack. Someone could have hacked the developer, and pushed malicious code surreptitiously.

Bits and Bytes

Wireshark has a new release, and this one actually fixes some important security problems. We don’t think about it much since wireshark uses PCAP to capture packets, rather than receive them directly, but this software has a bunch of data parsers built in to it. And just like any other software, it only takes a simple mistake for something malicious to break the code behind a parser.

Nextcloud has a fun set of fresh vulnerabilities. A couple of them are relatively high severity, but the most amusing is a problem with logging out. Turns out that not all of the user’s local session data was neutralized when hitting the logout button, and so the next user to authenticate would be logged in as the previous account. Whoops.

And Libreoffice has had an update fixing two notable issues. The first is a floating frame feature, which displays content from a linked document. That frame was loading content without prompting the user, leading to some potential security mitigation bypasses. And the second, more serious problem, is an array index underflow when parsing a malformed spreadsheet formula. There isn’t a Proof of Concept released for this one, but the LibreOffice folks believe that arbitrary code execution is possible as a result. So go forth and update!