CISA Updates Known Exploited Vulnerabilities Catalog with Chrome and Perl Library Flaws

January 3, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with two new entries.

The first vulnerability, CVE-2023-7024, is a Heap buffer overflow issue in WebRTC, reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group on December 19, 2023. Google promptly patched the zero-day vulnerability within a day. The discovery of this vulnerability by Google TAG indicates that it was likely exploited by either a nation-state actor or a surveillance firm.

The second vulnerability, CVE-2023-7101, is a Spreadsheet::ParseExcel Remote Code Execution Vulnerability. This flaw arises from the evaluation of Number format strings within the Excel parsing logic. Network and email cybersecurity firm Barracuda released security updates to address a related zero-day vulnerability, tracked as CVE-2023-7102, in Email Security Gateway (ESG) appliances on December 21.

The Chinese hacker group UNC4841 has actively exploited this vulnerability. The root cause of the problem lies in the Spreadsheet::ParseExcel third-party library used by the Amavis virus scanner that runs on Barracuda ESG appliances. An attacker can exploit this vulnerability to execute arbitrary code on vulnerable ESG appliances through parameter injection. Barracuda has also reported CVE-2023-7101 for a vulnerability in the open-source library, which is used in several products of multiple organizations. As of now, this issue remains unaddressed.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies are required to fix the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also advise private organizations to review the Catalog and address the vulnerabilities in their infrastructure. CISA has mandated federal agencies to patch these vulnerabilities by January 23, 2024.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.