Saturday, May 18, 2024
HomeTechnologyCISA warns of actively exploited bugs in Chrome and Excel parsing library

CISA warns of actively exploited bugs in Chrome and Excel parsing library


CISA warns of actively exploited bugs in Chrome and Excel parsing library

The U.S. Cybersecurity and Infrastructure Safety Company has added two vulnerabilities to the Recognized Exploited Vulnerabilities catalog, a lately patched flaw in Google Chrome and a bug affecting an open-source Perl library for studying data in an Excel file known as Spreadsheet::ParseExcel.

America’s cyber protection company has given federal companies till January 23 to mitigate the 2 safety points tracked as CVE-2023-7024 and CVE-2023-7101 in response to vendor directions or to cease utilizing the weak merchandise.

Spreadsheet::ParseExcel RCE

The primary difficulty that CISA added to its Recognized Exploited Vulnerabilities (KEV) is CVE-2023-7101, a distant code execution vulnerability that impacts variations 0.65 and older of the Spreadsheet::ParseExcel library.

“Spreadsheet::ParseExcel accommodates a distant code execution vulnerability as a consequence of passing unvalidated enter from a file right into a string-type “eval.” Particularly, the problem stems from the analysis of Quantity format strings throughout the Excel parsing logic,” reads CISA’s description of the flaw.

Spreadsheet::ParseExcel is a general-purpose library that enables knowledge import/export operations on Excel recordsdata, run evaluation and automation scripts. The product additionally offers a compatibility layer for Excel file processing on Perl-based net apps.

One product utilizing the open-source library is Barracuda ESG (E-mail Safety Gateway), which has been focused in late December by Chinese language hackers who exploited the CVE-2023-7101 in Spreadsheet::ParseExcel to compromise home equipment.

In collaboration with cybersecurity agency Mandiant, Barracuda assesses that the menace actor behind the assaults is UNC4841, who leveraged the flaw to deploy ‘SeaSpy’ and ‘Saltwater’ malware.

Barracuda utilized mitigations for ESG on December 20, and a safety replace that addressed CVE-2023-7101 was made accessible on December 29, 2023, with Spreadsheet::ParseExcel model 0.66.

Google Chrome buffer overflow

The most recent actively exploited vulnerability added to KEV is CVE-2023-7024, a heap buffer overflow difficulty in WebRTC in Google Chrome net browser.

“Google Chromium WebRTC, an open-source mission offering net browsers with real-time communication, accommodates a heap buffer overflow vulnerability that enables an attacker to trigger crashes or code execution,” reads CISA’s abstract of the flaw.

“This vulnerability may influence net browsers utilizing WebRTC, together with however not restricted to Google Chrome,” the company provides.

The flaw was found by Google’s Menace Evaluation Group (TAG) and acquired a repair by way of an emergency replace on December 20, in variations 120.0.6099.129/130 for Home windows and 120.0.6099.129 for Mac and Linux.

This was the eighth zero-day vulnerability Google mounted in Chrome for 2023, underscoring the persistent time and effort hackers commit to discovering and exploiting flaws within the broadly used net browser.

CISA’s KEV catalog is a helpful useful resource for organizations throughout the globe that purpose at higher vulnerability administration and prioritization.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments