Two new vulnerabilities have been added to the list of exploited bugs by the Cybersecurity and Infrastructure Security Agency (CISA).

CISA on Tuesday warned of a vulnerability concerning the open-source Perl library, classified as CVE-2023-7101, as well as a bug impacting Google Chrome that was addressed by the company last month.

The vulnerabilities were added to the government’s Known Exploited Vulnerabilities (KEV) document, giving federal civilian agencies until January 23 to patch them.

The Google vulnerability affects an open-source project named Google Chromium WebRTC, which provides web browsers with real-time communication. Listed as CVE-2023-7024, the vulnerability allows hackers to cause browsers to crash or help them launch other actions. Google released an emergency security fix for the flaw in December.

Lionel Litty, chief security architect at Menlo Security, explained the worry about the bug is that it could be used as part of a multi-part attack process. With this vulnerability alone, an attacker could not access a user's files or start deploying malware, and their foothold on the machine goes away when the impacted tab is closed.

“It is possible this vulnerability can be targeted by any website without requiring any user input beyond visiting the malicious page, so from this perspective the threat is significant,” Litty said, adding that the bug opened the door for the targeting of other vulnerabilities.

Perl and Excel

Experts had significant concerns about the second vulnerability, which was discovered by researcher Le Dinh Hai within the open-source Perl library. The tool allows users to extract information from Excel spreadsheets and is embedded in a number of systems.

In late December, network and email security firm Barracuda said its products are affected by the vulnerability. Barracuda worked with the security firm Mandiant and determined that hackers based in China were exploiting the vulnerability to deploy previously-discovered malware strains. They did not say when exploitation of CVE-2023-7101 began.

Several cybersecurity experts said the tool should either be updated or removed. Ken Dunham, cyber threat director at Qualys Threat Research Unit, said at some point in 2023 a weaponized Microsoft Excel spreadsheet was used as part of a sophisticated Chinese campaign to perform exploitation.

“Successful exploitation is quickly followed with deployment of malicious payloads such as SEASPY and SALWATER [malware variants] and customized malware shortly thereafter,” he said. “Once persistence and reconnaissance are secured by the actor group, they may attempt to move laterally to land and expand as they further exploitation against target(s).”

Cybersecurity expert John Bambenek explained that Perl is an older programming language that is very commonly used for text manipulation. It became a staple in spam filtering software several decades ago and remains prevalent in the space today, though the language has generally fallen out of favor for developers, Bambenek said.

He noted that the threat actors behind the exploitation “went way off the beaten path to find a vulnerability that allowed for remote code execution (RCE) in spam filtering software that made phishing attacks self-executing at the e-mail gateway level.”

“This demonstrates sophisticated actors are looking at often overlooked aspects of our tech stack to find weaknesses in tools and libraries we may have completely forgotten about.”

The company said there is “no known patch or update available to remediate CVE-2023-7101 within the open source library” and urged other organizations to “promptly [take] necessary remediation measures” in their own products or services.

Other experts noted that CISA’s concerns about the issue must have been severe considering it added the bug to the KEV catalog without it giving it a vulnerability score.

Many threat actors, both nation-state and not, are focused on leveraging open-source code, said Viakoo Labs’ John Gallagher.

“That Chinese threat actors leveraged this against Barracuda systems could have been just simply good timing on their part,” he said.