CISA has added two additional vulnerabilities to its catalog of known exploited vulnerabilities for January 2024. Both additions were carried out following evidence of ongoing active exploitation. The vulnerabilities are identified as Google Chromium WebRTC Heap Buffer Overflow Vulnerability (CVE-2023-7024) and Spreadsheet::ParseExcel Remote Code Execution Vulnerability (CVE-2023-7101).
In December 2023, Google also released a urgent update to fix the vulnerability known as CVE-2023-7024, which has been actively exploited in the wild. It’s the eighth day zero vulnerability for Chromium-based web browsers in 2023.
CVE-2023-7024: Google Chromium WebRTC heap buffer overflow
Google Chromium WebRTC Heap Buffer Overflow or CVE-2023-7024 is a heap-based buffer overflow vulnerability in the open source WebRTC framework. This is a high severity vulnerability that allows remote code execution in the browser’s WebRTC.
WebRTC is an open source project with strong support from major browser manufacturers that enables real-time communication via APIs. Google reported that the vulnerabilityknown as CVE-2023-7024, is a serious heap buffer overflow bug in Chrome’s WebRTC module that enables remote code execution (RCE).
The vulnerability was reported by Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group on December 19, 2023. According to the researchers, the vulnerability was exploited in the wild before the patches were released.
By exploiting this vulnerability, the threat actor can take control of a user’s computer through malicious websites or via phishing methods.
Additionally, obtaining RCE throughout the rendering process is a problem operating risk. This implies that outside of the JavaScript sandbox, a malicious actor can execute any binary code on the user’s computer.
To be truly dangerous, the flaw must be used in conjunction with a sandbox escape vulnerability in Chrome or the operating system. However, the actual damage depends on whether the defect is used as the initial step in an attack chain.
Due to Chrome’s multiprocess architecture, this code is always sandboxed. So even with this vulnerability, an attacker cannot access the user’s files or begin malware distributionand when the relevant tab is closed, their access to the computer is lost.
With a few minor exceptions, Chrome’s Site Isolation feature will generally protect data from other websites, preventing an attacker from accessing the victim’s financial information.
User consent is not required to access the WebRTC itself, but is required to access the microphone or camera. Due to this, the threat becomes destructive as it is likely that any website can exploit it. vulnerability without requiring any intervention from the user other than accessing the infected page.
CVE-2023-7101: Spreadsheet: ParseExcel Remote Code Execution
Spreadsheet::ParseExcel version 0.65, a Perl module designed to parse Excel files, contains a vulnerability that could lead to arbitrary code execution (ACE). This vulnerability results from uncontrolled embedding of file input into a string “evaluation.” The specific problem lies in the evaluation of Number format strings, as distinct from printf-style format strings, in Excel parsing logic.
THE vulnerability is classified as “Incorrect neutralization of directives in dynamically evaluated code” (Eval Injection) according to the Common Weakness List (CWE). CWE offers a framework for identifying and classifying weaknesses, providing detailed information on preventive measures during the development phase.
Since the last update, there is no patch or update available to address CVE-2023-7101 in the open source library. Organizations integrating Spreadsheet::ParseExcel into their products or services are advised to evaluate CVE-2023-7101 and promptly implement necessary corrective actions until a patch is available.
The status of CVE-2023-7101 being used in Ransomware campaigns remain uncertain, as there is currently no definitive information available regarding its use in such malicious activities.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. The Cyber Express assumes no responsibility for the accuracy or consequences of the use of this information.
Related
!function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=();t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)(0); s.parentNode.insertBefore(t,s)}(window, document,'script', 'https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '5969393309772353'); fbq('track', 'PageView');
(function(c,l,a,r,i,t,y){ c(a)=c(a)||function(){(c(a).q=c(a).q||()).push(arguments)}; t=l.createElement(r);t.async=1;t.src="https://www.clarity.ms/tag/"+i; y=l.getElementsByTagName(r)(0);y.parentNode.insertBefore(t,y); })(window, document, "clarity", "script", "f1dqrc05x2");