[CDP-development] TLP:GREEN (Vulnerability Alert Notification) - CVE-2023-7101 Spreadsheet::ParseExcel Remote Code Execution Vulnerability

Wed Jan 3 10:03:15 PST 2024

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2023-7101: Spreadsheet::ParseExcel Remote Code Execution Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On January 2, 2024, CISA added CVE-2023-7101:Spreadsheet::ParseExcel Remote Code Execution Vulnerability to the known exploited vulnerabilities catalog. Currently CVE-2023-7101 has not been assigned a CVSS score.

Ubuntu vulnerability status by release:

  *   Trusty - Ignored (End of standard support)
  *   Xenial - Needs triage
  *   Bionic - Needs triage
  *   Focal - Needs triage
  *   Jammy - Needs triage
  *   Lunar - Needs triage
  *   Mantic - Needs triage
  *   Upstream - Released (0.600-4)

Red Hat has not updated their bug status for CVE-2023-7101 since December, 25, 2023. The last status shows all Red Hat versions being vulnerable.

SUSE has an extensive list of products that are effective, please refer to this link for patching information: https://www.suse.com/security/cve/CVE-2023-7101.html

Debian vulnerability status by release for libspreadsheet-parsexcel-perl source package:

  *   buster 0.6500-1 - Vulnerable
  *   buster (security) 0.6500-1+deb10u1 - Fixed
  *   bullseye 0.6500-1.1 - Vulnerable
  *   bullseye (security) 0.6500-1.1+deb11u1 - Fixed
  *   bookworm 0.6500-3 - Vulnerable
  *   bookworm (security) 0.6500-4~deb12u1 - Fixed
  *   sid, trixie 0.6600-1 - Fixed

Patching information is vendor specific, please refer to vendor documentation for patching. Please be aware that the above list is not comprehensive and does not include all vendors.

https://ubuntu.com/security/CVE-2023-7101
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2023-7101
https://www.suse.com/security/cve/CVE-2023-7101.html
https://security-tracker.debian.org/tracker/CVE-2023-7101

Intelligence: As of January 3, 2024, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: Workarounds are vendor specific, please refer to vendor documentation for possible workarounds.

How it works: Spreadsheet::ParseExcel contains a vulnerability that can allow for arbitrary code execution due to an unchecked incorporation of input from a file into a string-type "eval". The specific issue lies in the evaluation of Number format strings, distinct from printf-style format strings, within the Excel parsing logic.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could execute arbitrary code.

As of January 3, 2024, Tenable has not released any plugins for the vulnerability and has no plugins in the pipeline.
Recommended Actions:

  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DA3E25.386D9A30]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240103/aca975fb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240103/aca975fb/attachment-0001.png>