CISA has added two additional vulnerabilities to its Known Exploited Vulnerabilities Catalog for January 2024. The two additions have been made following evidence of active ongoing exploitation. The vulnerabilities are identified as Google Chromium WebRTC Heap Buffer Overflow Vulnerability (CVE-2023-7024) and Spreadsheet::ParseExcel Remote Code Execution Vulnerability (CVE-2023-7101).
In December 2023 Google also released an urgent update to fix the vulnerability known as CVE-2023-7024, which has been actively exploited in the wild. This is the eighth zero-day vulnerability for the Chromium-based web browsers in 2023.
CVE-2023-7024: Google Chromium WebRTC Heap Buffer Overflow
Google Chromium WebRTC Heap Buffer Overflow or CVE-2023-7024 is a heap-based buffer overflow vulnerability in the open-source WebRTC framework. It’s a high-severity vulnerability that allows remote code execution within the browser’s WebRTC.
WebRTC is an open-source project with strong backing from the top browser manufacturers that allows real-time communication over APIs. Google reported that the vulnerability, known as CVE-2023-7024, is a serious heap buffer overflow bug in the WebRTC module of Chrome that permits remote code execution (RCE).
The vulnerability was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group on December 19, 2023. According to the researchers, the vulnerability was exploited in the wild before patches were released.
By exploiting the vulnerability, the threat actor can gain control of a user’s computer through malicious websites or via methods of phishing.
Furthermore, obtaining RCE throughout the rendering process poses a danger of exploitation. This implies that, outside of the JavaScript sandbox, a threat actor can execute any binary code on the user’s computer.
To be genuinely hazardous, the flaw must be used in conjunction with a sandbox escape vulnerability in either Chrome or the operating system. Actual damage, however, depends on utilizing the defect as the initial step in an attack chain.
Because of Chrome’s multiprocess architecture, this code is still sandboxed, thus even with this vulnerability, an attacker cannot access the user’s files or begin distributing malware, and when the affected tab is closed, their access to the computer is lost.
With a few minor exceptions, Chrome’s Site Isolation feature will generally protect data from other websites, preventing an attacker from accessing the victim’s financial information.
User consent is not required for access to WebRTC itself, but it is for access to the microphone or camera. Due to this, the threat becomes destructive because it’s likely that any website might exploit this vulnerability without requiring any input from the user other than accessing the infected page.
CVE-2023-7101: Spreadsheet::ParseExcel Remote Code Execution
Spreadsheet::ParseExcel version 0.65, a Perl module designed for parsing Excel files, contains a vulnerability that can lead to arbitrary code execution (ACE). This vulnerability arises from the unchecked incorporation of input from a file into a string-type “eval.” The specific issue lies in the evaluation of Number format strings, distinct from printf-style format strings, within the Excel parsing logic.
The vulnerability is categorized as “Improper Neutralization of Directives in Dynamically Evaluated Code” (Eval Injection) according to the Common Weakness Enumeration (CWE). CWE offers a framework for identifying and classifying weaknesses, providing detailed information on preventive measures during the development phase.
As of the latest update, there is no available patch or update to address CVE-2023-7101 in the open-source library. Organizations incorporating Spreadsheet::ParseExcel in their products or services are advised to assess CVE-2023-7101 and promptly implement necessary remediation measures until a patch becomes available.
The status of CVE-2023-7101 being employed in ransomware campaigns remains uncertain, as there is currently no definitive information available regarding its utilization in such malicious activities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.