CISA warns federal agencies of exploited Google Chrome and open-source vulnerabilities

This article was updated at 8:25 p.m. EST with comments from Mandiant's Austin Larsen.

Two new vulnerabilities have been added to the list of exploited bugs by the Cybersecurity and Infrastructure Security Agency (CISA).

CISA on Tuesday warned of a vulnerability concerning the open-source Perl library, classified as CVE-2023-7101, as well as a bug impacting Google Chrome that was addressed by the company last month.

The vulnerabilities were added to the government’s Known Exploited Vulnerabilities (KEV) document, giving federal civilian agencies until January 23 to patch them.

The Google vulnerability affects an open-source project named Google Chromium WebRTC, which provides web browsers with real-time communication. Listed as CVE-2023-7024, the vulnerability allows hackers to cause browsers to crash or help them launch other actions. Google released an emergency security fix for the flaw in December.

Lionel Litty, chief security architect at Menlo Security, explained the worry about the bug is that it could be used as part of a multi-part attack process. With this vulnerability alone, an attacker could not access a user's files or start deploying malware, and their foothold on the machine goes away when the impacted tab is closed.

“It is possible this vulnerability can be targeted by any website without requiring any user input beyond visiting the malicious page, so from this perspective the threat is significant,” Litty said, adding that the bug opened the door for the targeting of other vulnerabilities.

Perl and Excel

Experts had significant concerns about the second vulnerability, which was discovered by researcher Le Dinh Hai within the open-source Perl library. The tool allows users to extract information from Excel spreadsheets and is embedded in a number of systems.

In late December, network and email security firm Barracuda said its products are affected by the vulnerability. Barracuda worked with the security firm Mandiant and determined that hackers based in China were exploiting the vulnerability to deploy previously-discovered malware strains.

Austin Larsen, a Mandiant senior incident response consultant, told Recorded Future News that on December 20 they, alongside Barracuda, identified a threat actor they call UNC4841 exploiting the vulnerability “in a limited number of Barracuda ESG [Email Security Gateway] appliances, targeting high-tech, information technology providers and government entities, predominantly based in the US and APAC [Asia-Pacific] regions.”

“According to current evidence, Mandiant believes this campaign was initiated on or about November 30, 2023 as part of UNC4841’s on-going espionage operations, deploying new variants of the SEASPY and SALTWATER backdoor malware on impacted devices,” he said.

On December 21 and 22, Larsen said, “Barracuda responded promptly by deploying updates to remediate the vulnerability and the ESG appliances that may have been compromised by the newly identified malware variants.”

Larsen explained that the vulnerability targeted the open source Perl module “Spreadsheet::ParseExcel,” which is used by the appliance in the screening of Excel email attachments for malware.

Once a target receives an email with the malicious Excel attachment from UNC4841, the underlying vulnerability in the ParseExcel module ingests the contents of the attachment and evaluates the malicious contents as Perl code on the Barracuda ESG appliance.

“This latest campaign further demonstrates this actor’s persistence from the last UNC4841 campaign. Mandiant anticipates this threat actor may broaden their targeted attack surface to other appliances with a greater variety of exploits in the future,” Larsen added.

Cybersecurity expert John Bambenek explained that Perl is an older programming language that is very commonly used for text manipulation. It became a staple in spam filtering software several decades ago and remains prevalent in the space today, though the language has generally fallen out of favor for developers, Bambenek said.

He noted that the threat actors behind the exploitation “went way off the beaten path to find a vulnerability that allowed for remote code execution (RCE) in spam filtering software that made phishing attacks self-executing at the e-mail gateway level.”

“This demonstrates sophisticated actors are looking at often overlooked aspects of our tech stack to find weaknesses in tools and libraries we may have completely forgotten about.”

The company said there is “no known patch or update available to remediate CVE-2023-7101 within the open source library” and urged other organizations to “promptly [take] necessary remediation measures” in their own products or services.

Other experts noted that CISA’s concerns about the issue must have been severe considering it added the bug to the KEV catalog without it giving it a vulnerability score.

Many threat actors, both nation-state and not, are focused on leveraging open-source code, said Viakoo Labs’ John Gallagher.

“That Chinese threat actors leveraged this against Barracuda systems could have been just simply good timing on their part,” he said.