Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Spreadsheet::Excel ?
mysqlstudent at gmail
Dec 29, 2023, 5:41 AM
Post #1 of 3 (98 views)
Permalink
Hi,

Barracuda recently announced they've identified a vulnerability in the
Spreadsheet::Excel library used by amavis in their appliances. I didn't
realize they were still using amavis and open source (and presumably
spamassassin?).
https://www.barracuda.com/company/legal/esg-vulnerability

I don't have this library on my system - is there a plugin that enables
parsing of Excel spreadsheets for malicious code? I realize there is the
ExtractText plugin, and although it doesn't actually work to identify any
potentially malicious code within an Excel file, it does look to be much
more comprehensive and capable.

https://www.techtarget.com/searchsecurity/news/366564654/Another-Barracuda-ESG-zero-day-flaw-exploited-in-the-wild
Re: Spreadsheet::Excel ? [ In reply to ]
me at junc
Dec 29, 2023, 6:15 AM
Post #2 of 3 (98 views)
Permalink
Alex skrev den 2023-12-29 14:41:
> Hi,
>
> Barracuda recently announced they've identified a vulnerability in the
> Spreadsheet::Excel library used by amavis in their appliances. I
> didn't realize they were still using amavis and open source (and
> presumably spamassassin?).
> https://www.barracuda.com/company/legal/esg-vulnerability

this link provide Yara rules, that can be used in clamav database dir

> I don't have this library on my system - is there a plugin that
> enables parsing of Excel spreadsheets for malicious code? I realize
> there is the ExtractText plugin, and although it doesn't actually work
> to identify any potentially malicious code within an Excel file, it
> does look to be much more comprehensive and capable.
>
> https://www.techtarget.com/searchsecurity/news/366564654/Another-Barracuda-ESG-zero-day-flaw-exploited-in-the-wild

amavisd can block xls files, if not wanted

more long term solve is to add malware to clamav if possible, sadly not
easy :/

test malware on virustotal.com and hope av wonders add it to there
databases of malware, sadly clamav dont get it :/
Re: Spreadsheet::Excel ? [ In reply to ]
sausers-20150205 at billmail
Dec 29, 2023, 7:07 PM
Post #3 of 3 (96 views)
Permalink
On 2023-12-29 at 08:41:23 UTC-0500 (Fri, 29 Dec 2023 08:41:23 -0500)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

> Hi,
>
> Barracuda recently announced they've identified a vulnerability in the
> Spreadsheet::Excel library used by amavis in their appliances. I
> didn't
> realize they were still using amavis and open source (and presumably
> spamassassin?).
> https://www.barracuda.com/company/legal/esg-vulnerability

Barracuda has never been entirely open about their components, but they
started as a very typical Postfix/Amavis/SpamAssassin/ClamAV rig.

> I don't have this library on my system - is there a plugin that
> enables
> parsing of Excel spreadsheets for malicious code?

The OLEVBMacro plugin exists. It does not use Spreadsheet::Excel. Malice
is out of scope, but since mailing around MS files with macros has never
been a good idea, discriminating between malice or sheer blinding
stupidity is non-critical.

In my experience it has been workable to just reject mail with .xls and
.xlsx attachments by default at any Internet-facing MX. 20+ years of
warnings about how reckless it is to share MS documents ought to suffice
for anyone.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal