Hackers Are Actively Exploiting Security Holes In Chrome And Spreadsheet Parser, CISA Warns

cisa adds two new vulnerabilities to known exploited vulnerabilities catalog
As we closed out 2023, the world of cybersecurity settled just a touch as threat actors and defenders went off to celebrate the holiday in a seemingly unspoken Christmas truce. Nothing good can last forever, though, as the Cybersecurity and Infrastructure Security Agency (CISA) makes clear with an update to the Known Exploited Vulnerabilities (KEV) Catalog in the New Year.

CISA recently published a blog post explaining that it was pushing two new vulnerabilities to the KEV catalog. The first of these vulnerabilities is tracked as CVE-2023-7024 and is described as a Google Chromium WebRTC heap buffer overflow vulnerability. Given that that description is likely gibberish to most, what you need to know is that this vulnerability was discovered by Clément Lecigne and Vlad Stolyarov of Google's Threat Analysis Group. While it was unclear what threat actors were leveraging this vulnerability, it was clear that there was a significant level of severity with a patch from Google rolling in 24 hours from reporting.

chrome cisa adds two new vulnerabilities to known exploited vulnerabilities catalog

Beyond that vulnerability, CVE-2023-7101 was also added to the KEV Catalog and is another interesting one with a bit more detail. This vulnerability lies with the Spreadsheet::ParseExcel version 0.65, a “Perl module used for parsing Excel files,” which has an issue where unvalidated input from a file into an “eval” statement could lead to arbitrary code execution. This vulnerability has already seen proof-of-concept exploits published and is quite the concern for a wide variety of folks, including those using the Barracuda ESG (Email Security Gateway). This is one of the higher-profile use cases for Spreadsheet::ParseExcel, which Chinese threat actors were exploiting.

Thankfully, most software utilizing Spreadsheet::ParseExcel have patched the problem, including Barracuda so this is less of a concern. Regardless, if you want to check out the living list of Common Vulnerabilities and Exposures (CVEs) that pose a risk to the federal government, you can do so on the CISA KEV Catalog webpage.