A longer version of this post, including the full timeline as we know it, is available at security.metacpan.org
Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This document describes the timeline and analysis of events.
CVE-2023-7101: Spreadsheet::ParseExcel arbitrary code execution vulnerability
Đình Hải Lê discovered an arbitrary code execution (ACE) vulnerability in the Perl module Spreadsheet::ParseExcel, version 0.65 and earlier.
An attacker, exploiting this vulnerability, would craft an Excel file containing malicious code encoded as a number format string, which is executed when the file is parsed by Spreadsheet::ParseExcel. Basically, untrusted data is passed to the Perl eval function enabling arbitrary code execution.
A detailed write up of the vulnerability and Proof of Concept (PoC) is available at
https://github.com/haile01/perl_spreadsheet_excel_rce_poc
It was allegedly used by UNC4841, a China-backed threat actor, to compromise Barracuda Email Security Gateway (ESG) appliances, and is considered a root cause for CVE-2023-7102. https://www.barracuda.com/company/legal/esg-vulnerability
CVE-2024-22368: Spreadsheet::ParseXLSX denial of service vulnerability
Đình Hải Lê discovered a DoS vulnerability in Spreadsheet::ParseXLSX, version 0.27 and earlier, enabling denial of service attacks via out-of-memory bugs when parsing a crafted XLSX file.
Basically, an attacker could create a spreadsheet file and set a merged cell to include all possible cells in the spreadsheet. Because of the way vulnerable versions of Spreadsheet::ParseXLSX parsed the file, it would allocate huge amounts of ram to track the merged cell. Simply uploading a simple spreadsheet to a web application using the vulnerable module would cause a denial of service as all memory on the server was used.
A detailed write up of the vulnerability and PoC is available at https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
It is not known whether this vulnerability was used to cause a denial of service on a production server.
CVE-2024-23525: Spreadsheet::ParseXLSX XML external entity attack vulnerability
An Pham discovered a XML external entity injection (XXE) vulnerability in Spreadsheet::ParseXLSX version 0.29 and earlier, enabling an attacker to interact with the system
This is a classic XML external entity (XXE) injection vulnerability, in which the attacker can cause the vulnerable code to include data (or a file) that should not be available, by simply instructing the XML parser to load external data. The PoC also includes an example that would cause a DoS.
Configuring an XML parser to allow loading external entities is dangerous and should never be the default.
A detailed write up of the vulnerability and PoC is available at https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a
Further Information
The full timeline and additional detail is available at:
https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html
Acknowledgements
Thank you to everyone involved in reporting and fixing these issues. This write up was the joint effort of several members of CPANSec.
FOSS developer who has been scratching various itches for many years.