Vulnerable Perl Spreadsheet Parsing modules
A longer version of this post, including the full timeline as we know it, is available at security.metacpan.org
Between Dec 2023 and Jan 2024, vulnerabilities in Spreadsheet::ParseExcel and Spreadsheet::ParseXLSX were reported to the CPAN Security Group (CPANSec). This document describes the timeline and analysis of events.
CVE-2023-7101: Spreadsheet::ParseExcel arbitrary code execution vulnerability
Đình Hải Lê discovered an arbitrary code execution (ACE) vulnerability in the Perl module Spreadsheet::ParseExcel, version 0.65 and earlier.
An attacker, exploiting this vulnerability, would craft an Excel file containing malicious code encoded as a number format string, which is executed when the file is parsed by Spreadsheet::ParseExcel. Basically, untrusted data is passed to the Perl
eval function enabling arbitrary code execution.
A detailed write up of the vulnerability and Proof of Concept (PoC) is available at
It was allegedly used by UNC4841, a China-backed threat actor, to compromise Barracuda Email Security Gateway (ESG) appliances, and is considered a root cause for CVE-2023-7102. https://www.barracuda.com/company/legal/esg-vulnerability
CVE-2024-22368: Spreadsheet::ParseXLSX denial of service vulnerability
Đình Hải Lê discovered a DoS vulnerability in Spreadsheet::ParseXLSX, version 0.27 and earlier, enabling denial of service attacks via out-of-memory bugs when parsing a crafted XLSX file.
Basically, an attacker could create a spreadsheet file and set a merged cell to include all possible cells in the spreadsheet. Because of the way vulnerable versions of Spreadsheet::ParseXLSX parsed the file, it would allocate huge amounts of ram to track the merged cell. Simply uploading a simple spreadsheet to a web application using the vulnerable module would cause a denial of service as all memory on the server was used.
A detailed write up of the vulnerability and PoC is available at https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
It is not known whether this vulnerability was used to cause a denial of service on a production server.
CVE-2024-23525: Spreadsheet::ParseXLSX XML external entity attack vulnerability
An Pham discovered a XML external entity injection (XXE) vulnerability in Spreadsheet::ParseXLSX version 0.29 and earlier, enabling an attacker to interact with the system
This is a classic XML external entity (XXE) injection vulnerability, in which the attacker can cause the vulnerable code to include data (or a file) that should not be available, by simply instructing the XML parser to load external data. The PoC also includes an example that would cause a DoS.
Configuring an XML parser to allow loading external entities is dangerous and should never be the default.
A detailed write up of the vulnerability and PoC is available at https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a
The full timeline and additional detail is available at: https://security.metacpan.org/2024/02/10/vulnerable-spreadsheet-parsing-modules.html
Thank you to everyone involved in reporting and fixing these issues. This write up was the joint effort of several members of CPANSec.