CISA Warns of Exploited Vulnerabilities in Chrome and Excel Parsing Library


The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent notice to federal agencies, setting a deadline of January 23 for mitigation efforts.

The Cybersecurity and Infrastructure Security Agency (CISA) has identified and added two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue. The vulnerabilities in question involve a recently patched flaw within Google Chrome and a bug affecting the open-source Perl library “Spreadsheet::ParseExcel,” designed for reading information in Excel files.

The specific vulnerabilities are as follows:

  1. CVE-2023-7024: Google Chromium WebRTC Heap Buffer Overflow Vulnerability
  2. CVE-2023-7101: Spreadsheet::ParseExcel Remote Code Execution Vulnerability

CVE-2023-7024:

CVE-2023-7024 was a critical vulnerability in the WebRTC component of Google Chrome, discovered in December 2023. It allowed attackers to potentially exploit a heap buffer overflow via a specially crafted HTML page, ultimately gaining control of a victim’s computer.

Google patched the security vulnerability in December 2023 and is no longer considered a threat for users who have updated their Chrome browser to the patched version. However, it’s important to keep your browser and other software up to date to protect yourself from future vulnerabilities.

CVE-2023-7101

CVE-2023-7101 is a critical vulnerability affecting Spreadsheet::ParseExcel, a Perl module used for parsing Excel files. It exposes a remote code execution (RCE) risk, allowing attackers to potentially take control of a vulnerable system through specially crafted Excel files.

The vulnerability allows attackers to upload a malicious Excel file to a vulnerable system. The vulnerability can also be exploited via the evaluation of Number format strings, leading to arbitrary code execution on the system. This could allow attackers to steal sensitive data (passwords, personal information, etc.), install malware, disrupt system operations and take complete control of the affected system.

Users operating systems with software dependent on Spreadsheet::ParseExcel version 0.65 are currently exposed to this security risk. This vulnerability extends its reach to various applications and frameworks developed with Perl, thereby potentially affecting a broad spectrum of systems.

A patched version, 0.66, has been released by Metacpan to address the identified vulnerability. As a precautionary measure, users are strongly advised to promptly update to this patched version. In cases where immediate updating is not feasible, it is recommended to implement mitigating measures such as restricting file uploads or disabling the functionality associated with Spreadsheet::ParseExcel.

CISA has issued an urgent notice to federal agencies, setting a deadline of January 23 for mitigation efforts. Agencies are instructed to follow vendor guidelines for resolving these vulnerabilities promptly or cease the use of the affected products.

For insights into the CVE-2023-7101 vulnerability, we reached out to Mr. Aubrey Perin, Lead Threat Intelligence Analyst at Qualys Threat Research Unit who told Hackread.com that, “CVE-2023-7101 is a Perl library vulnerability that has gained notable traction, evidenced by its usage in appliances by network and email security firm Barracuda.”

“Businesses are advised to thoroughly assess their environments for instances of ‘Spreadsheet::ParseExcel’ requiring updates or removal,” Aubrey advised. “Barracuda’s observations indicate that Chinese threat actors utilized this vulnerability to deploy malware. With the vulnerability now public, there is a heightened risk of ransomware threat actors leveraging it for their malicious tooling,” Aubrey warned.

  1. CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
  2. CISA Publishes List of Free Cybersecurity Tools and Services
  3. FBI and CISA Issue Joint Advisory on Snatch Ransomware Threat
  4. New CISA Advisories Highlight Vulnerabilities in Top ICS Products
  5. CISA Warns of Flaws in Propump, Controls’ Osprey Pump Controller





Source link