CISA flags up actively exploited Google Chrome and Excel flaws

CISA's directive gives federal agencies until 23rd January to implement measures against these vulnerabilities

CISA flags up actively exploited Google Chrome and Excel flaws

Image:
CISA flags up actively exploited Google Chrome and Excel flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalogue to include two actively exploited bugs flaws found in Google Chrome and open-source Perl library.

These vulnerabilities, if left unaddressed, pose significant cybersecurity risks to users and organisations, the agency warned.

The first vulnerability, identified as CVE-2023-7024, is a heap buffer overflow issue in Google Chrome's WebRTC.

Discovered by Vlad Stolyarov and Clément Lecigne of Google's Threat Analysis Group (TAG) on 19th December 2023, this zero-day vulnerability was promptly reported and fixed within a day.

Google released an emergency update to patch the flaw, indicating its severity.

The required fixes were incorporated into Windows versions 120.0.6099.129/130 and Mac and Linux version 120.0.6099.129.

"Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution," CISA said in its advisory.

It emphasised that web browsers using WebRTC, including but not limited to Google Chrome, could be affected by this vulnerability.

Second vulnerability

The second vulnerability, designated as CVE-2023-7101, is a remote code execution flaw affecting version 0.65 and older of the Spreadsheet::ParseExcel library.

Spreadsheet::ParseExcel is a library designed for general-purpose use, facilitating data import/export operations on Excel files, running analysis, and executing automation scripts. Additionally, the product offers a compatibility layer specifically tailored for processing Excel files in Perl-based web applications.

According to CISA's description of the flaw, Spreadsheet::ParseExcel contains a remote code execution flaw resulting from the transfer of unvalidated input from a file into an "eval" function of string type.

"Specifically, the issue stems from the evaluation of number format strings within the Excel parsing logic," it added.

One prominent victim of this exploit is Barracuda's Email Security Gateway (ESG), which was compromised in late December by Chinese hackers identified as UNC4841.

The attackers used the vulnerability to deploy SeaSpy and Saltwater malware on the compromised systems.

Barracuda, in collaboration with cybersecurity firm Mandiant, took immediate action upon discovering the attack, implementing mitigations for ESG on 20th December.

Furthermore, a security update addressing CVE-2023-7101 was released on 29 December 2023, with Spreadsheet::ParseExcel version 0.66.

Recognising the severity of these vulnerabilities, CISA's new directive has given US Federal Civilian Executive Branch (FCEB) agencies until 23rd January to implement measures to protect their devices against these vulnerabilities.

The directive provides clear instructions for federal agencies to mitigate the two issues according to instructions from respective vendors or discontinuing the use of vulnerable products.

As per the binding operational directive (BOD 22-01) issued in November 2021, federal agencies are required to identify and address all security vulnerabilities listed in CISA's KEV catalogue.

BOD 22-01 is only applicable to FCEB agencies, but CISA advises that organisations should prioritise remediating the vulnerabilities listed in the catalogue as part of their overall security strategy.