The US Government’s Cybersecurity and Infrastructure Agency (CISA) is warning of a major vulnerability in an open-source Perl library that reads Excel files.
In a security advisory published earlier this week, CISA said that there is a major bug in the library called Spreadsheet::ParseExcel. The bug, now tracked as CVE-2023-7101, is described as a remote code execution (RCE) flaw, meaning it could be used by threat actors to deploy and run different malware, including ransomware.
It was stated that US Government agencies have until January 23 to address the flaw. It can be fixed by updating the library to versions newer than 0.65.
UNC4841 on the offensive
“Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval.” Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic,” CISA said of the flaw.
CISA was not the first to discover the RCE flaw. The email protection and network security firm Barracuda recently discovered it, after observing Chinese hackers abusing it to target its Email Security Gateway instances. Within ESG, the library was used by the Amavis virus scanner. By crafting a custom Excel attachment, the attackers would able to exploit the flaw and run pretty much any code on the vulnerable device, unabated.
Barracuda, together with Mandiant, attributed the attack to UNC4841, claiming the Chinese were using the flaw to drop SEASPY and SALTWATER malware.
On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG appliances which exhibited indicators of compromise related to the newly identified malware variants,” the company said in an announcement. Barracuda concluded that no action is required from the user’s side and added that its investigation into the matter is ongoing.
While Barracuda addressed the issue within its own ecosystem, the company stressed that the open-source library remains vulnerable. “For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and promptly taking necessary remediation measures,” it concluded.
Via BleepingComputer