Spreadsheet Perl Module Vulnerability Compromises Barracuda ESG

In a recent development, a critical vulnerability has been discovered in the Spreadsheet Perl Module :: Parseexcel. This module provides functions for analyzing files in Excel format. The vulnerability, identified as CVE-2023-7101, allows for the execution of arbitrary code when processing XLS or XLSX files, including specially executed numbers formatting rules.

The vulnerability is attributed to the use of “Eval” data obtained from the processed file when constructing a call, as evident in the vulnerable code snippet. This flaw was highlighted in the utility module utilized by the Spreadsheet Perl Module :: Parseexcel. More specifically, the flaw can be found in line 171 of the Utility.pm file.

Fortunately, a fix has been released to address this vulnerability. Users are advised to update to version 0.66 of the Spreadsheet :: Parseexcel module, which can be obtained from the official distribution on MetaCPAN.

As proof of concept, a prototype exploit has been shared by the security community. This exploit showcases the potential risks associated with the vulnerability and serves as a means to raise awareness about the issue. To access the prototype exploit, you can visit the following GitHub repository.

On a related note, Barracuda Networks recently disclosed a separate vulnerability in their email Security Gateway (ESG) devices. The compromise of these devices was facilitated by a 0-Day vulnerability, identified as CVE-2023-7102, present in the Spreadsheet :: Parseexcel module used for analyzing postal investments in Excel format.

During an analysis of an attack targeted at Barracuda ESG devices, Barracuda Networks discovered the vulnerability. The attack aimed to deploy malicious software on the affected devices. To exploit the flaw, an attacker only needed to send an email containing specially designed postal investment.

It is crucial for Barracuda ESG users to address this vulnerability promptly. Further information regarding the vulnerability can be found on the official Barracuda website. The necessary steps to mitigate the risk include updating the affected system with the latest version of the Spreadsheet :: Parseexcel module.

/Reports, release notes, official announcements.