Executive Summary
The Cybersecurity and Infrastructure Security Agency (CISA) has recently highlighted two critical exploited vulnerabilities: CVE-2023-7024 and CVE-2023-7101. These vulnerabilities affect a Google Chromium library and a Perl library, both of which are open-source.
CISA added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, giving federal civilian agencies until January 23 to patch them.
Accordingly, It’s vital for users and organisations to promptly update their systems to address these vulnerabilities. This action is key to safeguarding against potential exploits and maintaining robust cybersecurity.
CVE-2023-7024
This vulnerability, found in the Google Chromium WebRTC project, affects Google Chrome. With a CVSS score of 8.8, it enables attackers to cause heap corruption through a crafted HTML page. Consequently, the exploit can lead to malicious code execution.
Lionel Litty, chief security architect at Menlo Security, highlighted the concern regarding the bug, stating that it could be used as part of a multi-part attack process. He mentioned that alone, the vulnerability does not allow an attacker to access user files or deploy malware. Furthermore, the attacker’s foothold on the machine is lost when the affected tab is closed. However, Litty emphasised that this vulnerability can be targeted by any website without requiring user input beyond visiting the malicious page. This makes the threat significant and potentially opens the door for targeting other vulnerabilities.
Google has released an emergency security fix for this issue. Accordingly, users and organisations should update their Chrome browsers immediately.
CVE-2023-7101
This vulnerability affects the Spreadsheet::ParseExcel Perl module, allowing arbitrary code execution through unvalidated input. The CVSS score for this vulnerability was not available at the time of the article’s writing.
Spreadsheet::ParseExcel is a Perl module for reading data from Excel 95-2003 binary files. It offers capabilities for reading and manipulating data in older Excel file formats, with advanced features for formatting, custom data handling, and optimisation for large files.
An updated version 0.66 of Spreadsheet::ParseExcel, addressing this issue, is available. Accordingly, users and organisations should promptly update.
Please note that this vulnerability posed a significant risk to Barracuda’s Email Security Gateway (ESG) appliances. Barracuda identified it with Mandiant’s help and released updates. Mandiant observed espionage activities by China-based threat actors targeting US and Asia-Pacific IT and government sectors since November 2023.
