Vulnerable Perl Spreadsheet Parsing modules

By Timothy Legge on February 10, 2024 2:54 PM

A longer version of this post, including the full timeline as we know it, is available at security.metacpan.org

Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This document describes the timeline and analysis of events.

CVE-2023-7101: Spreadsheet::ParseExcel arbitrary code execution vulnerability

Đình Hải Lê discovered an arbitrary code execution (ACE) vulnerability in the Perl module Spreadsheet::ParseExcel, version 0.65 and earlier.

An attacker, exploiting this vulnerability, would craft an Excel file containing malicious code encoded as a number format string, which is executed when the file is parsed by Spreadsheet::ParseExcel. Basically, untrusted data is passed to the Perl eval function enabling arbitrary code execution. A detailed write up of the vulnerability and Proof of Concept (PoC) is available at https://github.com/haile01/perl_spreadsheet_excel_rce_poc

It was allegedly used by UNC4841, a China-backed threat actor, to compromise Barracuda Email Security Gateway (ESG) appliances, and is considered a root cause for CVE-2023-7102. https://www.barracuda.com/company/legal/esg-vulnerability

CVE-2024-22368: Spreadsheet::ParseXLSX denial of service vulnerability

Đình Hải Lê discovered a DoS vulnerability in Spreadsheet::ParseXLSX, version 0.27 and earlier, enabling denial of service attacks via out-of-memory bugs when parsing a crafted XLSX file.

Basically, an attacker could create a spreadsheet file and set a merged cell to include all possible cells in the spreadsheet. Because of the way vulnerable versions of Spreadsheet::ParseXLSX parsed the file, it would allocate huge amounts of ram to track the merged cell. Simply uploading a simple spreadsheet to a web application using the vulnerable module would cause a denial of service as all memory on the server was used.

A detailed write up of the vulnerability and PoC is available at https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md

It is not known whether this vulnerability was used to cause a denial of service on a production server.

CVE-2024-23525: Spreadsheet::ParseXLSX XML external entity attack vulnerability

An Pham discovered a XML external entity injection (XXE) vulnerability in Spreadsheet::ParseXLSX version 0.29 and earlier, enabling an attacker to interact with the system

This is a classic XML external entity (XXE) injection vulnerability, in which the attacker can cause the vulnerable code to include data (or a file) that should not be available, by simply instructing the XML parser to load external data. The PoC also includes an example that would cause a DoS.

Configuring an XML parser to allow loading external entities is dangerous and should never be the default.

A detailed write up of the vulnerability and PoC is available at https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a