The U.S. Cybersecurity and Infrastructure Safety Company has added two vulnerabilities to the Recognized Exploited Vulnerabilities catalog, a lately patched flaw in Google Chrome and a bug affecting an open-source Perl library for studying data in an Excel file referred to as Spreadsheet::ParseExcel.
America’s cyber protection company has given federal businesses till January 23 to mitigate the 2 security points tracked as CVE-2023-7024 and CVE-2023-7101 in accordance with vendor directions or to cease utilizing the weak merchandise.
Spreadsheet::ParseExcel RCE
The primary difficulty that CISA added to its Recognized Exploited Vulnerabilities (KEV) is CVE-2023-7101, a distant code execution vulnerability that impacts variations 0.65 and older of the Spreadsheet::ParseExcel library.
“Spreadsheet::ParseExcel incorporates a distant code execution vulnerability attributable to passing unvalidated enter from a file right into a string-type “eval.” Particularly, the problem stems from the analysis of Quantity format strings throughout the Excel parsing logic,” reads CISA’s description of the flaw.
Spreadsheet::ParseExcel is a general-purpose library that enables information import/export operations on Excel information, run evaluation and automation scripts. The product additionally gives a compatibility layer for Excel file processing on Perl-based net apps.
One product utilizing the open-source library is Barracuda ESG (E mail Safety Gateway), which has been focused in late December by Chinese language hackers who exploited the CVE-2023-7101 in Spreadsheet::ParseExcel to compromise home equipment.
In collaboration with cybersecurity agency Mandiant, Barracuda assesses that the menace actor behind the assaults is UNC4841, who leveraged the flaw to deploy ‘SeaSpy’ and ‘Saltwater’ malware.
Barracuda utilized mitigations for ESG on December 20, and a security replace that addressed CVE-2023-7101 was made accessible on December 29, 2023, with Spreadsheet::ParseExcel model 0.66.
Google Chrome buffer overflow
The newest actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow difficulty in WebRTC in Google Chrome net browser.
“Google Chromium WebRTC, an open-source undertaking offering net browsers with real-time communication, incorporates a heap buffer overflow vulnerability that enables an attacker to trigger crashes or code execution,” reads CISA’s abstract of the flaw.
“This vulnerability may influence net browsers utilizing WebRTC, together with however not restricted to Google Chrome,” the company provides.
The flaw was found by Google’s Risk Evaluation Group (TAG) and obtained a repair through an emergency replace on December 20, in variations 120.0.6099.129/130 for Home windows and 120.0.6099.129 for Mac and Linux.
This was the eighth zero-day vulnerability Google mounted in Chrome for 2023, underscoring the persistent time and effort hackers commit to discovering and exploiting flaws within the extensively used net browser.
CISA’s KEV catalog is a priceless useful resource for organizations throughout the globe that intention at higher vulnerability administration and prioritization.