The U.S. Cybersecurity and Infrastructure Security Agency has added two vulnerabilities to the Known Exploited Vulnerabilities catalog, a recently patched flaw in Google Chrome and a bug affecting an open-source Perl library for reading information in an Excel file called Spreadsheet::ParseExcel.
America’s cyber defense agency has given federal agencies until January 23 to mitigate the two security issues tracked as CVE-2023-7024 and CVE-2023-7101 according to vendor instructions or to stop using the vulnerable products.
Spreadsheet::ParseExcel RCE
The first issue that CISA added to its Known Exploited Vulnerabilities (KEV) is CVE-2023-7101, a remote code execution vulnerability that affects versions 0.65 and older of the Spreadsheet::ParseExcel library.
“Spreadsheet::ParseExcel contains a remote code execution vulnerability due to passing unvalidated input from a file into a string-type “eval.” Specifically, the issue stems from the evaluation of Number format strings within the Excel parsing logic,” reads CISA’s description of the flaw.
Spreadsheet::ParseExcel is a general-purpose library that allows data import/export operations on Excel files, run analysis and automation scripts. The product also provides a compatibility layer for Excel file processing on Perl-based web apps.
One product using the open-source library is Barracuda ESG (Email Security Gateway), which has been targeted in late December by Chinese hackers who exploited the CVE-2023-7101 in Spreadsheet::ParseExcel to compromise appliances.
In collaboration with cybersecurity firm Mandiant, Barracuda assesses that the threat actor behind the attacks is UNC4841, who leveraged the flaw to deploy ‘SeaSpy’ and ‘Saltwater’ malware.
Barracuda applied mitigations for ESG on December 20, and a security update that addressed CVE-2023-7101 was made available on December 29, 2023, with Spreadsheet::ParseExcel version 0.66.
Google Chrome buffer overflow
The latest actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow issue in WebRTC in Google Chrome web browser.
“Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution,” reads CISA’s summary of the flaw.
“This vulnerability could impact web browsers using WebRTC, including but not limited to Google Chrome,” the agency adds.
The flaw was discovered by Google’s Threat Analysis Group (TAG) and received a fix via an emergency update on December 20, in versions 120.0.6099.129/130 for Windows and 120.0.6099.129 for Mac and Linux.
This was the eighth zero-day vulnerability Google fixed in Chrome for 2023, underscoring the persistent effort and time hackers devote to finding and exploiting flaws in the widely used web browser.
CISA’s KEV catalog is a valuable resource for organizations across the globe that aim at better vulnerability management and prioritization.