The Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its list of exploited bugs.
On Tuesday, CISA issued a warning about two vulnerabilities: one that affected Google Chrome and was fixed by the company last month, and the other that concerned the open-source Perl library and was assigned the code CVE-2023-7101.
The government has given federal civilian agencies until January 23 to patch the vulnerabilities, which were added to the Known Exploited Vulnerabilities (KEV) document.
An open-source project called Google Chromium WebRTC, which facilitates real-time communication between web browsers, is impacted by the Google vulnerability. Known as CVE-2023-7024, the flaw enables hackers to crash browsers or assist them in starting other processes. In December, Google issued an urgent security patch to address the vulnerability.
Menlo Security’s chief security architect, Lionel Litty, clarified that the vulnerability is concerning because it might be incorporated into a multi-phase attack procedure. Just by using this vulnerability, an attacker is unable to access a user’s files or begin distributing malware, and when the affected tab is closed, their access to the computer is terminated.
According to Litty, “this vulnerability is significant from a security standpoint because it could be exploited by any website without requiring any user input other than visiting the malicious page.” She also mentioned that the bug could potentially lead to other vulnerabilities being targeted.
The second vulnerability, which was found by researcher Le Dinh Hai within the open-source Perl library, caused considerable concern among experts. The tool is integrated into various systems and enables users to extract data from Excel spreadsheets.
The email and network security company Barracuda announced in late December that the vulnerability affects its products. Together with the security company Mandiant, Barracuda found that Chinese hackers were using the vulnerability to spread malware strains that had already been identified.
According to Austin Larsen, a senior incident response consultant at Mandiant, they discovered a threat actor on December 20 that they named UNC4841. This actor was using the vulnerability “in a limited number of Barracuda ESG [Email Security Gateway] appliances, targeting high-tech, information technology providers and government entities, predominantly based in the US and APAC [Asia-Pacific] regions,” according to Recorded Future News.
“Based on available data, Mandiant surmises that this campaign was started on or around November 30, 2023, as a component of UNC4841’s ongoing espionage activities, infecting affected devices with fresh strains of the SEASPY and SALTWATER backdoor malware.”
Larsen reported that on December 21st and 22nd, “Barracuda promptly addressed the vulnerability and fixed the ESG appliances that might have been compromised by the recently discovered malware variants.”
According to Larsen, the flaw was in the open-source Perl module “Spreadsheet::ParseExcel,” which the appliance uses to check Excel email attachments for malware.
After a target receives an email containing the malicious Excel attachment from UNC4841, the malicious content of the attachment is evaluated as Perl code on the Barracuda ESG appliance due to an underlying vulnerability in the ParseExcel module.
“This actor’s tenacity from the previous UNC4841 campaign is further demonstrated by this latest campaign. In the future, Larsen continued, “Mandiant believes this threat actor may expand their targeted attack surface to other appliances with a wider variety of exploits.”
Text manipulation is a common use for Perl, an older programming language, according to cybersecurity expert John Bambenek. Although the language has generally lost favour with developers, it was once a mainstay of spam filtering software and is still widely used today, according to Bambenek.
He stated that the threat actors responsible for the exploitation “went way off the beaten path to find a vulnerability in spam filtering software that enabled remote code execution (RCE), making phishing attacks self-executing at the email gateway level.”
In order to uncover flaws in tools and libraries that we might have completely forgotten about, skilled actors are examining frequently disregarded parts of our tech stack, as this illustrates.
According to the company, there isn’t a patch or update available to address CVE-2023-7101 in the open-source library. They recommended that other organizations promptly implement the necessary remediation measures in their own products or services.
Other experts pointed out that since CISA added the bug to the KEV catalog without assigning it a vulnerability score, it must have been very concerning to them.
According to John Gallagher of Viakoo Labs, many threat actors—both nation-state and non—are concentrated on using open-source code.
He said, “That Chinese threat actors used this against Barracuda systems may have just been a matter of timing.”
CISA alerts users to actively exploited flaws
A recently patched Google Chrome vulnerability and an issue affecting Spreadsheet::ParseExcel, an open-source Perl library for reading data from Excel files, have been added to the list of known exploited vulnerabilities by the U.S. Cybersecurity and Infrastructure Security Agency.
According to vendor instructions, the US cyber defense agency has given federal agencies until January 23rd to either stop using the vulnerable products or mitigate the two security issues tracked as CVE-2023-7024 and CVE-2023-7101.
The first vulnerability that CISA added to its list of known exploited vulnerabilities (KEV) is CVE-2023-7101, a remote code execution flaw that impacts the Spreadsheet::ParseExcel library versions 0.65 and below.
The vulnerability in Spreadsheet::ParseExcel is related to passing unvalidated input from a file into a string-type “eval,” which allows for remote code execution. According to CISA’s description of the problem, the problem specifically arises from the Excel parsing logic’s evaluation of Number format strings.
Spreadsheet::ParseExcel is a general-purpose library that enables the execution of automation and analysis scripts as well as data import and export functions on Excel files. Additionally, the product offers a compatibility layer for Perl-based web apps that process Excel files.
Barracuda ESG (Email Security Gateway) is one product that makes use of the open-source library. Chinese hackers targeted it in late December by taking advantage of a vulnerability in Spreadsheet called CVE-2023-7101.To compromise appliances, use ParseExcel.
Barracuda determines, in association with cybersecurity firm Mandiant, that UNC4841 is the threat actor responsible for the attacks. UNC4841 took advantage of the vulnerability to insert the malware “SeaSpy” and “Saltwater.”
Barracuda deployed ESG mitigations on December 20. On December 29, 2023, Spreadsheet::ParseExcel version 0.66 was released along with a security update that fixed CVE-2023-7101.
The most recent actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow problem in WebRTC on the Google Chrome web browser.
A heap buffer overflow vulnerability in Google Chromium WebRTC, an open-source project that enables real-time communication between web browsers, could allow an attacker to cause crashes or even execute code, according to CISA’s description of the vulnerability.
“WebRTC-enabled web browsers, such as Google Chrome, may be affected by this vulnerability,” the organization continues.
Google’s Threat Analysis Group (TAG) found the vulnerability, and on December 20, versions 120.0.6099.129/130 for Windows and 120.0.6099.129 for Mac and Linux were released as an emergency update to address it.
This was the eighth zero-day vulnerability that Google patched in Chrome for 2023, highlighting the time and effort that hackers continue to invest in locating and taking advantage of vulnerabilities in the popular web browser.
A useful tool for companies worldwide seeking to improve vulnerability management and prioritization is CISA’s KEV catalog.