The Cybersecurity and Infrastructure Agency (CISA) of the US Government has raised an alert regarding a significant vulnerability present in an open-source Perl library designed for reading Excel files. This flaw, identified as CVE-2023-7101, poses a remote code execution (RCE) risk, allowing threat actors, particularly Chinese hackers in this instance, to deploy various types of malware, including ransomware.
CISA’s security advisory, released earlier this week, emphasizes the urgency for US Government agencies to address this issue by January 23. The recommended solution involves updating the affected library, known as Spreadsheet::ParseExcel, to versions beyond 0.65.
According to CISA, the vulnerability arises from the library’s evaluation of Number format strings within the Excel parsing logic, leading to a potential remote code execution due to unvalidated input from a file into a string-type “eval.”
The discovery of this RCE flaw was not initiated by CISA; rather, email protection and network security firm Barracuda identified it after observing Chinese hackers exploiting the vulnerability to target instances of its Email Security Gateway (ESG). The attackers, associated with UNC4841, utilized the flaw within the Amavis virus scanner, embedded in ESG, to execute custom Excel attachments capable of running arbitrary code on vulnerable devices.
Barracuda, in collaboration with Mandiant, attributes the attack to UNC4841, linking it to the deployment of SEASPY and SALTWATER malware. Taking prompt action, Barracuda deployed a patch on December 22, 2023, to rectify compromised ESG appliances exhibiting indicators of compromise related to the newly identified malware variants.
While Barracuda successfully addressed the issue within its own ecosystem, it underscores that the open-source library, Spreadsheet::ParseExcel, remains susceptible. In light of this, organizations employing the library in their products or services are strongly advised to review CVE-2023-7101 and promptly implement necessary remediation measures. The investigation into this matter by Barracuda is ongoing.
