The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with two new entries.
The first vulnerability, CVE-2023-7024, is a Heap buffer overflow issue in WebRTC, reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group on December 19, 2023. Google promptly patched the zero-day vulnerability within a day. The discovery of this vulnerability by Google TAG indicates that it was likely exploited by either a nation-state actor or a surveillance firm.
The second vulnerability, CVE-2023-7101, is a Spreadsheet::ParseExcel Remote Code Execution Vulnerability. This flaw arises from the evaluation of Number format strings within the Excel parsing logic. Network and email cybersecurity firm Barracuda released security updates to address a related zero-day vulnerability, tracked as CVE-2023-7102, in Email Security Gateway (ESG) appliances on December 21.
The Chinese hacker group UNC4841 has actively exploited this vulnerability. The root cause of the problem lies in the Spreadsheet::ParseExcel third-party library used by the Amavis virus scanner that runs on Barracuda ESG appliances. An attacker can exploit this vulnerability to execute arbitrary code on vulnerable ESG appliances through parameter injection. Barracuda has also reported CVE-2023-7101 for a vulnerability in the open-source library, which is used in several products of multiple organizations. As of now, this issue remains unaddressed.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies are required to fix the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also advise private organizations to review the Catalog and address the vulnerabilities in their infrastructure. CISA has mandated federal agencies to patch these vulnerabilities by January 23, 2024.