The US government's Cybersecurity and Infrastructure Agency (CISA) is warning of a major vulnerability in an open-source Perl library that reads Excel files.
In a security advisory published earlier this week, CISA said there is a major bug in the library called Spreadsheet::ParseExcel. The bug, now tracked as CVE-2023-7101, is described as a Remote Code Execution (RCE) flaw, meaning it can be used by threat actors to deploy and execute various types of malware, including ransomware.
It was stated that US government agencies have until January 23 to address the error. The issue can be resolved by updating the library to versions newer than 0.65.
UNC4841 on the offensive
“Spreadsheet::ParseExcel contains a remote code execution vulnerability by passing unvalidated input from a file to a string type “eval.” “The issue specifically arises from the evaluation of strings in number formats within Excel's parsing logic,” CISA said of the error.
CISA was not the first to discover the RCE error. Email security and network security company Barracuda recently discovered it after observing Chinese hackers exploiting it to target Email Security Gateway instances. Within ESG, the library was used by the virus scanner Amavis. By creating a custom Excel attachment, the attackers could exploit the flaw and run virtually any code unabated on the vulnerable device.
Barracuda, along with Mandiant, attributed the attack to UNC4841, claiming that the Chinese used the flaw to drop SEASPY and SALTWATER malware.
On December 22, 2023, Barracuda deployed a patch to remediate compromised ESG devices that showed indicators of compromise related to the newly identified malware variants,” the company said in an announcement. Barracuda concluded that no action is required on the part of the user, adding that the investigation into the matter is still ongoing.
Although Barracuda has addressed the issue within its own ecosystem, the company emphasized that its open source library remains vulnerable. “For organizations using Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and taking appropriate remedial action immediately,” the report concluded.
Through BleepingComputer