This Week In Security: Barracuda, Zyxel, And The Backdoor

Barracuda’s Email Security Gateway (ESG) has had a vulnerability in it for years. Tracked as CVE-2023-2868, this one was introduced back in version 5.1.3.001, and only got patched during the 9.2 development cycle. Specific build information on patched firmware has not been made available, but a firmware build containing the patch was deployed on May 20.

The flaw was a command injection bug triggered by .tar files attached to incoming emails. The appliance scans attachments automatically, and the file names could trigger the qx operator in a Perl script. It’s a nasty one, ranking a 9.4 on the CVSS scale. But the really bad news is that Barracuda found the vulnerability in the wild, and they have found evidence of exploitation as far back as October 2022.

There have been three malware modules identified on the compromised appliances. SALTWATER is a backdoor trojan, with the ability to transfer files, execute commands, and host network tunnels. SEASPY is a stealthier module, that looks like a legitimate service, and uses PCAP to monitor traffic and receive commands. And SEASIDE is a Lua module for the Barracuda SMTP monitor, and it exists to host a reverse shell on command. Indicators of Compromise (IOCs) have been published, and Barracuda recommends the unplug-and-remove approach to cleaning up an infection. The saving grace is that this campaign seems to have been targeted, and wasn’t launched against every ESG on the Internet, so maybe you’re OK.

Moxa, Too

And speaking of security software that has problems, the Moxa MXsecurity appliance has a pair of problems that could be leveraged together to lead to a complete device takeover. The most serious problem is a hard coded credential, that allows authentication bypass for the web-API. Then the second issue is a command-line escape, where an attacker with access to the device’s Command Line Interface (CLI) can break out and run arbitrary commands. Continue reading “This Week In Security: Barracuda, Zyxel, And The Backdoor”

OpenOffice Or LibreOffice? A Star Is Torn

When it comes to open source office suites, most people choose OpenOffice or LibreOffice, and they both look suspiciously similar. That isn’t surprising since they both started with exactly the same code base. However, the LibreOffice team recently penned an open letter to the Apache project — the current keepers of OpenOffice — asking them to redirect new users to the LibreOffice project. Their logic is that OpenOffice has huge name recognition, but hasn’t had a new major release in several years. LibreOffice, on the other hand, is a very active project. We could argue that case either way, but we won’t. But it did get us thinking about how things got here.

It all started when German Marco Börries wrote StarWriter in 1985 for the Zilog Z80. By 1986, he created a company, Star Division, porting the word processor to platforms like CP/M and MSDOS. Eventually, the company added other office suite programs and with support for DOS, OS/2, and Windows, the suite became known as StarOffice.

The program was far less expensive than most competitors, costing about $70, yet in 1999 that price point prompted Sun Microsystems to buy StarOffice. We don’t mean they bought a copy or a license, they bought the entire thing for just under $74 million. The story was that it was still cheaper than buying a license for each Sun employee, particularly since most had both a Windows machine and a Unix machine which still required some capability.

Sun in Charge

Sun provided StarOffice 5.2 in 2000 as a free download for personal use, which gave the software a lot of attention. It eventually released much of the code under an open source license producing OpenOffice. Sun contributed to the project and would periodically snapshot the code to market future versions of StarOffice.

This was the state of affairs for a while. StarOffice 6.0 corresponded to OpenOffice 1.0. In 2003, release 1.1 turned into StarOffice 7. A couple of years later, StarOffice 8/OpenOffice 2.0 appeared and by 2008, we had StarOffice 9 with OpenOffice 3.0 just before Oracle entered the picture.

Continue reading “OpenOffice Or LibreOffice? A Star Is Torn”

C.H.I.P. Is A Linux Trojan Horse For Nine Bucks

I’m sure you’ve already heard about C.H.I.P, the $9 Linux computer. It is certainly sexy to say nine-bucks but there should really be an asterisk next to that number. If you want things like VGA or HDMI you need an adapter board which adds cost (natively the board only supports composite video output). I also have questions about MSRP once the Kickstarter is fulfilled. But what’s on my mind isn’t cost; this is still going to be in the realm of extremely-inexpensive no matter what shakes out. Instead, I’d like to look at this being the delivery device for wider Linux acceptance.

chip-single-board-computer

The gist of the hardware is a small board with a SoC boasting a 1GHz clock, half a gig of ram, four gigs of flash, one USB, WiFi and Bluetooth. It also has add-ons that make it a handheld and is being promoted as a gaming console. It’s amazing what you get out of these SoC’s for the cost these days, isn’t it?

For at least a decade people have claimed that this is the year of the Linux desktop. That’s not the right way to think. Adults are brand-loyal and business will stick to things that just work. Trying to convert those two examples is a sisyphean effort. But C.H.I.P. is picking up on a movement that started with Raspberry Pi.

These are entry-level computers and a large portion of the user-base will be kids. I haven’t had a hands-on with this new board, but the marketing certainly makes an effort to show how familiar the GUI will be. This is selling Linux and popular packages like LibreOffice without even tell people they’ll be adopting Linux. If the youngest Raspberry Pi users are maturing into their adolescence with C.H.I.P, what will their early adult years look like? At the least, they will not have an ingrained disposition against Open Source Software (unless experiences with Rasbperry Pi, C.H.I.P., and others is negative). At best they’ll fully embrace FOSS, becoming the next generation of code contributors and concept evangelists. Then every year will be the year of the Linux desktop.