Headline
CISA Warns of Exploited Vulnerabilities in Chrome and Excel Parsing Library
By Waqas CISA Urges Swift Action as Two Critical Vulnerabilities Emerge. This is a post from HackRead.com Read the original post: CISA Warns of Exploited Vulnerabilities in Chrome and Excel Parsing Library
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent notice to federal agencies, setting a deadline of January 23 for mitigation efforts.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified and added two significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue. The vulnerabilities in question involve a recently patched flaw within Google Chrome and a bug affecting the open-source Perl library “Spreadsheet::ParseExcel,” designed for reading information in Excel files.
The specific vulnerabilities are as follows:
- CVE-2023-7024: Google Chromium WebRTC Heap Buffer Overflow Vulnerability
- CVE-2023-7101: Spreadsheet::ParseExcel Remote Code Execution Vulnerability
****CVE-2023-7024:****
CVE-2023-7024 was a critical vulnerability in the WebRTC component of Google Chrome, discovered in December 2023. It allowed attackers to potentially exploit a heap buffer overflow via a specially crafted HTML page, ultimately gaining control of a victim’s computer.
Google patched the security vulnerability in December 2023 and is no longer considered a threat for users who have updated their Chrome browser to the patched version. However, it’s important to keep your browser and other software up to date to protect yourself from future vulnerabilities.
****CVE-2023-7101****
CVE-2023-7101 is a critical vulnerability affecting Spreadsheet::ParseExcel, a Perl module used for parsing Excel files. It exposes a remote code execution (RCE) risk, allowing attackers to potentially take control of a vulnerable system through specially crafted Excel files.
The vulnerability allows attackers to upload a malicious Excel file to a vulnerable system. The vulnerability can also be exploited via the evaluation of Number format strings, leading to arbitrary code execution on the system. This could allow attackers to steal sensitive data (passwords, personal information, etc.), install malware, disrupt system operations and take complete control of the affected system.
Users operating systems with software dependent on Spreadsheet::ParseExcel version 0.65 are currently exposed to this security risk. This vulnerability extends its reach to various applications and frameworks developed with Perl, thereby potentially affecting a broad spectrum of systems.
A patched version, 0.66, has been released by Metacpan to address the identified vulnerability. As a precautionary measure, users are strongly advised to promptly update to this patched version. In cases where immediate updating is not feasible, it is recommended to implement mitigating measures such as restricting file uploads or disabling the functionality associated with Spreadsheet::ParseExcel.
CISA has issued an urgent notice to federal agencies, setting a deadline of January 23 for mitigation efforts. Agencies are instructed to follow vendor guidelines for resolving these vulnerabilities promptly or cease the use of the affected products.
For insights into the CVE-2023-7101 vulnerability, we reached out to Mr. Aubrey Perin, Lead Threat Intelligence Analyst at Qualys Threat Research Unit who told Hackread.com that, “CVE-2023-7101 is a Perl library vulnerability that has gained notable traction, evidenced by its usage in appliances by network and email security firm Barracuda.”
“Businesses are advised to thoroughly assess their environments for instances of ‘Spreadsheet::ParseExcel’ requiring updates or removal,” Aubrey advised. “Barracuda’s observations indicate that Chinese threat actors utilized this vulnerability to deploy malware. With the vulnerability now public, there is a heightened risk of ransomware threat actors leveraging it for their malicious tooling,” Aubrey warned.
****RELATED ARTICLES****
- CISA Offers Recovery Tool for ESXiArgs Ransomware Victims
- CISA Publishes List of Free Cybersecurity Tools and Services
- FBI and CISA Issue Joint Advisory on Snatch Ransomware Threat
- New CISA Advisories Highlight Vulnerabilities in Top ICS Products
- CISA Warns of Flaws in Propump, Controls’ Osprey Pump Controller
Related news
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
Gentoo Linux Security Advisory 202401-34 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 120.0.6099.109 are affected.
Microsoft has addressed a total of 48 security flaws spanning its software as part of its Patch Tuesday updates for January 2024. Of the 48 bugs, two are rated Critical and 46 are rated Important in severity. There is no evidence that any of the issues are publicly known or under active attack at the time of release, making it the second consecutive Patch Tuesday with no zero-days. The
Debian Linux Security Advisory 5592-1 - It was discovered that missing input sanitising in libspreadsheet-parseexcel-perl, a Perl module to access information from Excel Spreadsheets, may result in the execution of arbitrary commands if a specially crafted document file is processed.
Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.
Barracuda has revealed that Chinese threat actors exploited a new zero-day in its Email Security Gateway (ESG) appliances to deploy backdoor on a "limited number" of devices. Tracked as CVE-2023-7102, the issue relates to a case of arbitrary code execution that resides within a third-party and open-source library Spreadsheet::ParseExcel that's used by the Amavis scanner within the
Debian Linux Security Advisory 5585-1 - An important security issue was discovered in Chromium, which could result in the execution of arbitrary code.
Google has issued an emergency update for Chrome that fixes an actively exploited zero-day vulnerability in the WebRTC component.
Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild. The vulnerability, assigned the CVE identifier CVE-2023-7024, has been described as a heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution. Clément