{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xlsx/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PhpSpreadsheet"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","phpspreadsheet","xlsx","php"],"_cs_type":"advisory","_cs_vendors":["phpoffice"],"content_html":"\u003cp\u003eA vulnerability exists in PhpSpreadsheet versions 1.x through 5.6.0 where the XLSX reader does not properly validate row numbers read from XML attributes within a spreadsheet file. Specifically, the \u003ccode\u003eColumnAndRowAttributes::readRowAttributes()\u003c/code\u003e method lacks a check against the maximum allowed row number (\u003ccode\u003eAddressRange::MAX_ROW = 1,048,576\u003c/code\u003e). An attacker can exploit this by crafting a minimal XLSX file (approximately 1.6KB) containing a \u003ccode\u003e\u0026lt;row r=\u0026quot;999999999\u0026quot;/\u0026gt;\u003c/code\u003e element. When processed, this inflates the \u003ccode\u003ecachedHighestRow\u003c/code\u003e property, causing subsequent row iteration operations to attempt nearly one billion loop cycles, thereby exhausting CPU resources and leading to a denial-of-service condition. This vulnerability can be exploited in web applications that accept user-uploaded spreadsheet files, making it a significant risk for systems using vulnerable versions of PhpSpreadsheet. The vulnerability was reported in GHSA-7c6m-4442-2x6m.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XLSX file containing an XML \u003ccode\u003e\u0026lt;row\u0026gt;\u003c/code\u003e element with a large \u003ccode\u003er\u003c/code\u003e attribute (e.g., \u003ccode\u003e\u0026lt;row r=\u0026quot;999999999\u0026quot;/\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious XLSX file to a web application or system that uses PhpSpreadsheet to process spreadsheet files.\u003c/li\u003e\n\u003cli\u003eThe PhpSpreadsheet library, specifically the \u003ccode\u003eIOFactory::createReader('Xlsx')\u003c/code\u003e component, is used to read the uploaded file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, the \u003ccode\u003eColumnAndRowAttributes::readRowAttributes()\u003c/code\u003e method reads the large row number from the XML attribute.\u003c/li\u003e\n\u003cli\u003eThe large row number is then used to update the \u003ccode\u003ecachedHighestRow\u003c/code\u003e property in the \u003ccode\u003eWorksheet\u003c/code\u003e object, effectively setting it to a very high value.\u003c/li\u003e\n\u003cli\u003eA subsequent operation that iterates over rows using \u003ccode\u003egetRowIterator()\u003c/code\u003e or retrieves the highest row using \u003ccode\u003egetHighestRow()\u003c/code\u003e triggers a loop that iterates up to the inflated \u003ccode\u003ecachedHighestRow\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe excessive number of loop iterations consumes a significant amount of CPU resources, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe application becomes unresponsive or crashes due to the CPU exhaustion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a CPU denial of service. A small, 1.6KB crafted XLSX file can trigger almost one billion iterations, causing the system to become unresponsive for an extended period (estimated at ~144 seconds per file). This impacts any application using \u003ccode\u003egetRowIterator()\u003c/code\u003e or \u003ccode\u003egetHighestRow()\u003c/code\u003e methods, making the system unavailable. Applications processing the spreadsheet may also exhaust memory if they attempt to accumulate data during the iteration process. The high amplification factor (small input leading to massive CPU consumption) makes this vulnerability particularly dangerous, especially in web applications that process user-supplied spreadsheets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by adding row bounds validation in \u003ccode\u003ereadRowAttributes()\u003c/code\u003e to check if \u003ccode\u003e$rowIndex\u003c/code\u003e is within the acceptable range (1 to \u003ccode\u003eAddressRange::MAX_ROW\u003c/code\u003e). This is the primary recommendation from the source advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PhpSpreadsheet Excessive Row Iteration\u003c/code\u003e to detect processes that may be attempting to process XLSX files with extremely high row numbers, indicating a potential exploitation attempt.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious file uploads, specifically XLSX files with unusually small sizes, which might indicate an attempt to upload a malicious file exploiting this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-phpspreadsheet-dos/","summary":"A vulnerability in PhpSpreadsheet exists where a crafted XLSX file containing a large row number can cause excessive CPU consumption due to unbounded loop iterations, leading to a denial of service.","title":"PhpSpreadsheet CPU Denial of Service via Unbounded Row Number","url":"https://feed.craftedsignal.io/briefs/2024-01-03-phpspreadsheet-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Xlsx","version":"https://jsonfeed.org/version/1.1"}