🔥 PoC https://github.com/sinsinology/CVE-2023-20887 for CVE-2023-20887 VMWare Aria Operations for Networks (vRealize Network Insight) unauthenticated RCE This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed.
ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).
Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.
JUNE 1st, 2023:
Preliminary Summary of Key Findings
Document History
Version/Date
Notes
1.0: May 30, 2023
Initial Document
1.1 : June 1, 2023
Additional IOCs and rules included
Barracuda Networks’ priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments.
Timeline
On May 18, 2023, Barracuda was alerted to anomalous traffic originating from Barracuda Email Security Gateway (ESG) appliances.
On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security experts, to assist in the investigation.
On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our Email Security Gateway appliance (ESG).
On May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide.
On May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods.
A series of security patches are being deployed to all appliances in furtherance of our containment strategy.
Key Findings
While the investigation is still on-going, Barracuda has concluded the following:
The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified.
Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.
Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances.
Malware was identified on a subset of appliances allowing for persistent backdoor access.
Evidence of data exfiltration was identified on a subset of impacted appliances..
Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.
CVE-2023-2868
On May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.
Barracuda’s investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances.
Malware
This section details the malware that has been identified to date, and to assist in tracking, codenames for the malware have been assigned.
SALTWATER
SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The capabilities of SALTWATER include the ability to upload or download arbitrary files, execute commands, as well as proxy and tunneling capabilities.
Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a subset of ESG appliances.
The backdoor is implemented using hooks on the send, recv, close syscalls and amounts to five components, most of which are referred to as “Channels” within the binary. In addition to providing proxying capabilities, these components exhibit backdoor functionality. The five (5) channels can be seen in the list below.
DownloadChannel
UploadChannel
ProxyChannel
ShellChannel
TunnelArgs
Mandiant is still analyzing SALTWATER to determine if it overlaps with any other known malware families.
Table 1 below provides the file metadata related to a SALTWATER variant.
SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP) and port 587. SEASPY contains backdoor functionality that is activated by a «magic packet».
Identified at path: /sbin/ on a subset of ESG appliances.
Mandiant analysis has identified code overlap between SEASPY and cd00r, a publicly available backdoor.
Table 2 below provides the file metadata related to a SEASPY variant.
SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port which it passes as arguments to an external binary that establishes a reverse shell.
Table 3 below provides the file metadata related to a SEASIDE.
Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support (support@barracuda.com) to validate if the appliance is up to date.
Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.
Rotate any applicable credentials connected to the ESG appliance: o Any connected LDAP/AD o Barracuda Cloud Control o FTP Server o SMB o Any private TLS certificates
Review your network logs for any of the IOCs listed below and any unknown IPs. Contact compliance@barracuda.com if any are identified.
To support customers in the investigations of their environments, we are providing a list of all endpoint and network indicators observed over the course of the investigation to date. We have also developed a series of YARA rules that can be found in the section below.
Endpoint IOCs
Table 4 lists the endpoint IOCs, including malware and utilities, attributed to attacker activity during the investigation.
File Name
MD5 Hash
Type
1
appcheck.sh
N/A
Bash script
2
aacore.sh
N/A
Bash script
3
1.sh
N/A
Bash script
4
mod_udp.so
827d507aa3bde0ef903ca5dec60cdec8
SALTWATER Variant
5
intent
N/A
N/A
6
install_helo.tar
2ccb9759800154de817bf779a52d48f8
TAR Package
7
intent_helo
f5ab04a920302931a8bd063f27b745cc
Bash script
8
pd
177add288b289d43236d2dba33e65956
Reverse Shell
9
update_v31.sh
881b7846f8384c12c7481b23011d8e45
Bash script
10
mod_require_helo.lua
cd2813f0260d63ad5adf0446253c2172
SEASIDE
11
BarracudaMailService
82eaf69de710abdc5dea7cd5cb56cf04
SEASPY
12
BarracudaMailService
e80a85250263d58cc1a1dc39d6cf3942
SEASPY
13
BarracudaMailService
5d6cba7909980a7b424b133fbac634ac
SEASPY
14
BarracudaMailService
1bbb32610599d70397adfdaf56109ff3
SEASPY
15
BarracudaMailService
4b511567cfa8dbaa32e11baf3268f074
SEASPY
16
BarracudaMailService
a08a99e5224e1baf569fda816c991045
SEASPY
17
BarracudaMailService
19ebfe05040a8508467f9415c8378f32
SEASPY
18
mod_udp.so
1fea55b7c9d13d822a64b2370d015da7
SALTWATER Variant
19
mod_udp.so
64c690f175a2d2fe38d3d7c0d0ddbb6e
SALTWATER Variant
20
mod_udp.so
4cd0f3219e98ac2e9021b06af70ed643
SALTWATER Variant
Table 4: Endpoint IOCs
Network IOCs
Table 5 lists the network IOCs, including IP addresses and domain names, attributed to attacker activity during the investigation.
Indicator
ASN
Location
1
xxl17z.dnslog.cn
N/A
N/A
2
mx01.bestfindthetruth.com
N/A
N/A
3
64.176.7.59
AS-CHOOPA
US
4
64.176.4.234
AS-CHOOPA
US
5
52.23.241.105
AMAZON-AES
US
6
23.224.42.5
CloudRadium L.L.C
US
7
192.74.254.229
PEG TECH INC
US
8
192.74.226.142
PEG TECH INC
US
9
155.94.160.72
QuadraNet Enterprises LLC
US
10
139.84.227.9
AS-CHOOPA
US
11
137.175.60.253
PEG TECH INC
US
12
137.175.53.170
PEG TECH INC
US
13
137.175.51.147
PEG TECH INC
US
14
137.175.30.36
PEG TECH INC
US
15
137.175.28.251
PEG TECH INC
US
16
137.175.19.25
PEG TECH INC
US
17
107.148.219.227
PEG TECH INC
US
18
107.148.219.55
PEG TECH INC
US
19
107.148.219.54
PEG TECH INC
US
20
107.148.219.53
PEG TECH INC
US
21
107.148.219.227
PEG TECH INC
US
22
107.148.149.156
PEG TECH INC
US
23
104.223.20.222
QuadraNet Enterprises LLC
US
24
103.93.78.142
EDGENAP LTD
JP
25
103.27.108.62
TOPWAY GLOBAL LIMITED
HK
26
137.175.30.86
PEGTECHINC
US
27
199.247.23.80
AS-CHOOPA
DE
28
38.54.1.82
KAOPU CLOUD HK LIMITED
SG
29
107.148.223.196
PEGTECHINC
US
30
23.224.42.29
CNSERVERS
US
31
137.175.53.17
PEGTECHINC
US
32
103.146.179.101
GIGABITBANK GLOBAL
HK
Table 5: Network IOCs
YARA Rules
CVE-2023-2868
The following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868:
rule M_Hunting_Exploit_Archive_2
{
meta:
description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_tmp in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_3
{
meta:
description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_openssl in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_CVE_2023_2868
{
meta:
description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$qb at (@ustar[i] + 255)
)
}
SALTWATER
The following three (3) YARA rule can be used to hunt for SALTWATER:
rule M_Hunting_Linux_Funchook
{
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
rule M_Hunting_Linux_SALTWATER_1
{
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
condition:
filesize < 15MB and uint32(0) == 0x464c457f and any of them
}
rule M_Hunting_Linux_SALTWATER_2
{
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*))
}
The following SNORT rule can be used to hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:»M_Backdoor_SEASPY»; flags:S; dsize:>9; content:»oXmp»; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000; rev:1;)
The following SNORT rules require Suricata 5.0.4 or newer and can be used to hunt for SEASPY magic packets:
alert tcp any any -> any [25,587] (msg:»M_Backdoor_SEASPY_1358″; flags:S; tcp.hdr; content:»|05 4e|»; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001; rev:1;)
alert tcp any any -> any [25,587] (msg:»M_Backdoor_SEASPY_58928″; flags:S; tcp.hdr; content:»|e6 30|»; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)
alert tcp any any -> any [25,587] (msg:»M_Backdoor_SEASPY_58930″; flags:S; tcp.hdr; content:»|e6 32|»; offset:28; depth:2; byte_test:4,>,16777216,0,big,relative; byte_test:2,>,0,0,big,relative; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000003; rev:1;)
MAY 30th, 2023:
Preliminary Summary of Key Findings
Barracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments.
Timeline
On May 18, 2023, Barracuda was alerted to anomalous traffic originating from Barracuda Email Security Gateway (ESG) appliances.
On May 18, 2023, Barracuda engaged Mandiant, leading global cyber security experts, to assist in the investigation.
On May 19, 2023, Barracuda identified a vulnerability (CVE-2023-28681) in our Email Security Gateway appliance (ESG).
On May 20, 2023, a security patch to remediate the vulnerability was applied to all ESG appliances worldwide.
On May 21, 2023, a script was deployed to all impacted appliances to contain the incident and counter unauthorized access methods.
A series of security patches are being deployed to all appliances in furtherance of our containment strategy.
Key Findings
While the investigation is still on-going, Barracuda has concluded the following:
The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to the vulnerability identified.
Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.
Barracuda identified that CVE-2023-2868 was utilized to obtain unauthorized access to a subset of ESG appliances.
Malware was identified on a subset of appliances allowing for persistent backdoor access.
Evidence of data exfiltration was identified on a subset of impacted appliances.
Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers. Additional customers may be identified in the course of the investigation.
CVE-2023-2868
On May 19, 2023, Barracuda Networks identified a remote command injection vulnerability (CVE-2023-2868) present in the Barracuda Email Security Gateway (appliance form factor only) versions 5.1.3.001-9.2.0.006. The vulnerability stemmed from incomplete input validation of user supplied .tar files as it pertains to the names of the files contained within the archive. Consequently, a remote attacker could format file names in a particular manner that would result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product.
Barracuda’s investigation to date has determined that a third party utilized the technique described above to gain unauthorized access to a subset of ESG appliances.
Malware
This section details the malware that has been identified to date.
SALTWATER
SALTWATER is a trojanized module for the Barracuda SMTP daemon (bsmtpd) that contains backdoor functionality. The capabilities of SALTWATER include the ability to upload or download arbitrary files, execute commands, as well as proxy and tunneling capabilities.
Identified at path: /home/product/code/firmware/current/lib/smtp/modules on a subset of ESG appliances.
The backdoor is implemented using hooks on the send, recv, close syscalls and amounts to five components, most of which are referred to as “Channels” within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality. The five (5) channels can be seen in the list below.
DownloadChannel
UploadChannel
ProxyChannel
ShellChannel
TunnelArgs
Mandiant is still analyzing SALTWATER to determine if it overlaps with any other known malware families. Table 1 below provides the file metadata related to a SALTWATER variant.
Table 1 below provides the file metadata related to a SALTWATER variant.
SEASPY is an x64 ELF persistence backdoor that poses as a legitimate Barracuda Networks service and establishes itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also contains backdoor functionality that is activated by a «magic packet».
Identified at path: /sbin/ on a subset of ESG appliances.
Mandiant analysis has identified code overlap between SEASPY and cd00r, a publicly available backdoor.
Table 2 below provides the file metadata related to a SEASPY variant.
SEASIDE is a Lua based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO commands to receive a command and control (C2) IP address and port which it passes as arguments to an external binary that establishes a reverse shell.
Table 3 below provides the file metadata related to a SEASIDE.
Ensure your ESG appliance is receiving and applying updates, definitions, and security patches from Barracuda. Contact Barracuda support (support@barracuda.com) to validate if the appliance is up to date.
Discontinue the use of the compromised ESG appliance and contact Barracuda support (support@barracuda.com) to obtain a new ESG virtual or hardware appliance.
Rotate any applicable credentials connected to the ESG appliance: o Any connected LDAP/AD o Barracuda Cloud Control o FTP Server o SMB o Any private TLS certificates
Review your network logs for any of the IOCs listed below and any unknown IPs. Contact compliance@barracuda.com if any are identified.
To support customers in the investigations of their environments, we are providing a list of all endpoint and network indicators observed over the course of the investigation to date. We have also developed a series of YARA rules that can be found in the section below.
Endpoint IOCs
Table 4 lists the endpoint IOCs, including malware and utilities, attributed to attacker activity during the investigation.
File Name
MD5 Hash
Type
1
appcheck.sh
N/A
Bash script
2
aacore.sh
N/A
Bash script
3
1.sh
N/A
Bash script
4
mod_udp.so
827d507aa3bde0ef903ca5dec60cdec8
SALTWATER Variant
5
intent
N/A
N/A
6
install_helo.tar
2ccb9759800154de817bf779a52d48f8
TAR Package
7
intent_helo
f5ab04a920302931a8bd063f27b745cc
Bash script
8
pd
177add288b289d43236d2dba33e65956
Reverse Shell
9
update_v31.sh
881b7846f8384c12c7481b23011d8e45
Bash script
10
mod_require_helo.lua
cd2813f0260d63ad5adf0446253c2172
SEASIDE
11
BarracudaMailService
82eaf69de710abdc5dea7cd5cb56cf04
SEASPY
12
BarracudaMailService
e80a85250263d58cc1a1dc39d6cf3942
SEASPY
13
BarracudaMailService
5d6cba7909980a7b424b133fbac634ac
SEASPY
14
BarracudaMailService
1bbb32610599d70397adfdaf56109ff3
SEASPY
15
BarracudaMailService
4b511567cfa8dbaa32e11baf3268f074
SEASPY
16
BarracudaMailService
a08a99e5224e1baf569fda816c991045
SEASPY
17
BarracudaMailService
19ebfe05040a8508467f9415c8378f32
SEASPY
18
mod_udp.so
1fea55b7c9d13d822a64b2370d015da7
SALTWATER Variant
19
mod_udp.so
64c690f175a2d2fe38d3d7c0d0ddbb6e
SALTWATER Variant
20
mod_udp.so
4cd0f3219e98ac2e9021b06af70ed643
SALTWATER Variant
Table 4: Endpoint IOCs
Network IOCs
Table 5 lists the network IOCs, including IP addresses and domain names, attributed to attacker activity during the investigation.
Indicator
ASN
Location
1
xxl17z.dnslog.cn
N/A
N/A
2
mx01.bestfindthetruth.com
N/A
N/A
3
64.176.7.59
AS-CHOOPA
US
4
64.176.4.234
AS-CHOOPA
US
5
52.23.241.105
AMAZON-AES
US
6
23.224.42.5
CloudRadium L.L.C
US
7
192.74.254.229
PEG TECH INC
US
8
192.74.226.142
PEG TECH INC
US
9
155.94.160.72
QuadraNet Enterprises LLC
US
10
139.84.227.9
AS-CHOOPA
US
11
137.175.60.253
PEG TECH INC
US
12
137.175.53.170
PEG TECH INC
US
13
137.175.51.147
PEG TECH INC
US
14
137.175.30.36
PEG TECH INC
US
15
137.175.28.251
PEG TECH INC
US
16
137.175.19.25
PEG TECH INC
US
17
107.148.219.227
PEG TECH INC
US
18
107.148.219.55
PEG TECH INC
US
19
107.148.219.54
PEG TECH INC
US
20
107.148.219.53
PEG TECH INC
US
21
107.148.219.227
PEG TECH INC
US
22
107.148.149.156
PEG TECH INC
US
23
104.223.20.222
QuadraNet Enterprises LLC
US
24
103.93.78.142
EDGENAP LTD
JP
25
103.27.108.62
TOPWAY GLOBAL LIMITED
HK
Table 5: Network IOCs
YARA Rules
CVE-2023-2868
The following three (3) YARA rules can be used to hunt for the malicious TAR file which exploits CVE-2023-2868:
rule M_Hunting_Exploit_Archive_2
{
meta:
description = "Looks for TAR archive with /tmp/ base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_tmp = "/tmp/" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_tmp in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_3
{
meta:
description = "Looks for TAR archive with openssl base64 encoded being part of filename of enclosed files"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$b64_openssl = "openssl" base64
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$b64_openssl in (i * 512 .. i * 512 + 250)
)
}
rule M_Hunting_Exploit_Archive_CVE_2023_2868
{
meta:
description = "Looks for TAR archive with single quote/backtick as start of filename of enclosed files. CVE-2023-2868"
date_created = "2023-05-26"
date_modified = "2023-05-26"
md5 = "0d67f50a0bf7a3a017784146ac41ada0"
version = "1.0"
strings:
$ustar = { 75 73 74 61 72 }
$qb = "'`"
condition:
filesize < 1MB and
$ustar at 257 and
for any i in (0 .. #ustar) : (
$qb at (@ustar[i] + 255)
)
}
SALTWATER
The following three (3) YARA rule can be used to hunt for SALTWATER:
rule M_Hunting_Linux_Funchook
{
strings:
$f = "funchook_"
$s1 = "Enter funchook_create()"
$s2 = "Leave funchook_create() => %p"
$s3 = "Enter funchook_prepare(%p, %p, %p)"
$s4 = "Leave funchook_prepare(..., [%p->%p],...) => %d"
$s5 = "Enter funchook_install(%p, 0x%x)"
$s6 = "Leave funchook_install() => %d"
$s7 = "Enter funchook_uninstall(%p, 0x%x)"
$s8 = "Leave funchook_uninstall() => %d"
$s9 = "Enter funchook_destroy(%p)"
$s10 = "Leave funchook_destroy() => %d"
$s11 = "Could not modify already-installed funchook handle."
$s12 = " change %s address from %p to %p"
$s13 = " link_map addr=%p, name=%s"
$s14 = " ELF type is neither ET_EXEC nor ET_DYN."
$s15 = " not a valid ELF module %s."
$s16 = "Failed to protect memory %p (size=%"
$s17 = " protect memory %p (size=%"
$s18 = "Failed to unprotect memory %p (size=%"
$s19 = " unprotect memory %p (size=%"
$s20 = "Failed to unprotect page %p (size=%"
$s21 = " unprotect page %p (size=%"
$s22 = "Failed to protect page %p (size=%"
$s23 = " protect page %p (size=%"
$s24 = "Failed to deallocate page %p (size=%"
$s25 = " deallocate page %p (size=%"
$s26 = " allocate page %p (size=%"
$s27 = " try to allocate %p but %p (size=%"
$s28 = " allocate page %p (size=%"
$s29 = "Could not find a free region near %p"
$s30 = " -- Use address %p or %p for function %p"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (#f > 5 or 4 of ($s*))
}
rule M_Hunting_Linux_SALTWATER_1
{
strings:
$s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
$s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
condition:
filesize < 15MB and uint32(0) == 0x464c457f and any of them
}
rule M_Hunting_Linux_SALTWATER_2
{
strings:
$c1 = "TunnelArgs"
$c2 = "DownloadChannel"
$c3 = "UploadChannel"
$c4 = "ProxyChannel"
$c5 = "ShellChannel"
$c6 = "MyWriteAll"
$c7 = "MyReadAll"
$c8 = "Connected2Vps"
$c9 = "CheckRemoteIp"
$c10 = "GetFileSize"
$s1 = "[-] error: popen failed"
$s2 = "/home/product/code/config/ssl_engine_cert.pem"
$s3 = "libbindshell.so"
condition:
filesize < 15MB and uint32(0) == 0x464c457f and (2 of ($s*) or 4 of ($c*))
}
MAY 23rd, 2023:
Barracuda identified a vulnerability (CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023. A security patch to eliminate the vulnerability was applied to all ESG appliances worldwide on Saturday, May 20, 2023. The vulnerability existed in a module which initially screens the attachments of incoming emails. No other Barracuda products, including our SaaS email security services, were subject to this vulnerability.
We took immediate steps to investigate this vulnerability. Based on our investigation to date, we’ve identified that the vulnerability resulted in unauthorized access to a subset of email gateway appliances. As part of our containment strategy, all ESG appliances have received a second patch on May 21, 2023. Users whose appliances we believe were impacted have been notified via the ESG user interface of actions to take. Barracuda has also reached out to these specific customers.
We will continue actively monitoring this situation, and we will be transparent in sharing details on what actions we are taking. Information gathering is ongoing as part of the investigation. We want to ensure we only share validated information with actionable steps for you to take. As we have information to share, we will provide updates via this product status page (https://status.barracuda.com) and direct outreach to impacted customers. Updates are also located on Barracuda’s Trust Center (https://www.barracuda.com/company/legal).
Barracuda’s investigation was limited to the ESG product, and not the customer’s specific environment. Therefore, impacted customers should review their environments and determine any additional actions they want to take.
Your trust is important to us. We thank you for your understanding and support as we work through this issue and sincerely apologize for any inconvenience it may cause. If you have any questions, please reach out to support@barracuda.com.
Write a class directly to call the decrypt function
cryptTag is
<strong>EnDecryptUtil.getCryptTag()</strong>
obtained by
Parse the persistence-configurations.xml file to get the CryptTag attribute and view the file content
Attempt to
<strong>MLITE_ENCRYPT_DECRYPT</strong>
decrypt unsuccessfully, and then found that an external entity was introduced at the top of the xml file
Finally
<strong>conf\customer-config.xml</strong>
found the CryptTag in the file
The algorithm is AES256. After decryption, link to the database and check the AaaLogin table.
The domainName is obtained
<strong>-</strong>
, and the final request package is as follows
Get restapi from this
The rce method looked at the restapi documentation. There is a workflow that can be used for rce, but there is a problem with accessing through restapi.
an internal api, the isAPIClient in the session will only be assigned when you log in, so this place isApiclient is false, and NmsUtil.isRMMEdition is false, causing an exception to be thrown
APIError.internalAPI(request, response)
. then all internal apis cannot be called.
The
conf\OpManager\do\RestApi.xml
key APIs that define the workflow are
<strong><em>EXPOSED_API=TRUE</em></strong>
the internal APIs.
At this point, the rce is broken. I traced back the
isInternalAPI()
function and found that all the APIs are in the database
, a total of 955 APIs can be accessed through restapi.
I looked at it and saw that nothing was added, deleted, modified, and checked. I hope someone who is destined can dig out a rce.
Replenish
My colleague looked at the cve injected by the other two commands of opmanager and found that it should be possible to string rce together. see colleagues’ articles
The writing is rubbish, the wording is frivolous, the content is simple, and the operation is unfamiliar. The deficiencies are welcome to give pointers and corrections from the masters, and I am grateful.
CVE-2022-36923 Detail
Current Description
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user’s API key, and then access external APIs.
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user’s API key, and then access external APIs.