Chromium-Based Vulnerabilities

Priority: High

Summary:

Security researcher known as ‘frust’ has recently published a zero-day POC (Proof of Concept) exploit on Twitter for a zero-day remote code execution vulnerability found on Chromium-based browsers. This follows from two other Chromium-based vulnerabilities which were released on 14th April 2021. [2]

The recent vulnerability allows an attacker to open the Windows Notepad application if successfully exploited.[1] The vulnerability has not yet been assigned a CVE number, but has been assigned a chromium issue ID 1195777.

Background:

The following CVEs were released on 14th April 2021 which provides details on the previously identified vulnerabilities.

CVE-2021-21206 – Use after free in Blink

The vulnerable component is Google Chrome’s browser engine Blink. This used to convert HTML code to a webpage. This was reported anonymously on 7th April, 2021. [5]

CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64

The vulnerable component is Google Chrome’s browser engine V8 for x86_64. This is used to transform scripts to machine code without intermediate code being produced. This issue was reported by Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 7th April 2021. [5]

Security researcher ‘Rajvardhan Agarwal’ has released a POC related to the CVEs and has published the content on Twitter.

The most recent vulnerability discovered by security researcher ‘Frust’ cannot be exploited so easily. Chromium’s sandbox security feature is used to prevent exploits from executing malicious code or obtaining files from the endpoint. For the vulnerability to be exploited successfully, an attacker will need to chain these vulnerabilities with an unpatched sandbox escape vulnerability. [6]

Unless the sandbox security feature is disabled, the Frust zero-day vulnerability in its default state cannot harm users. Google are yet to release information regarding the Frust zero-day remote code execution vulnerability. [6]

Detect

ITC Qualys customer’s networks can be scanned using QID’s 375461 and 375463 to detect vulnerable assets.

You can also manually verify the version of your Chrome / Edge browser by following these steps:

Chrome:

Your Chrome browser version number can be found here:

  1. Click on the Menu icon in the upper right corner of the screen.
  2. Click on Help, and then About Google Chrome.


Edge:

Your Edge browser version number can be found here:

  1. Click on the Menu icon in the upper right corner of the screen.
  2. Click on Help & Feedback, and then About Microsoft Edge.


Affected Products:

  • Google Chrome prior to 90.0.4430.72
  • Microsoft Edge prior to 89.0.774.77


Prevent:

Chromium’s sandbox feature helps prevent a successful exploitation of this vulnerability in its default state. This feature is used to prevent exploits from executing malicious code or accessing files from the endpoint. This feature must remain enabled to provide the best protection against the vulnerability.

React:

IT administrators should ensure that all Google Chrome and Chromium-based Edge browsers are updated to the fixed version specified above.

Sources:

[1] https://www.bleepingcomputer.com/news/security/second-google-chrome-zero-day-exploit-dropped-on-twitter-this-week/
[2] https://www.secpod.com/blog/second-zero-day-exploit-for-google-chrome-in-the-same-week/
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21206
[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21220
[5] https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html
[6] https://threatprotect.qualys.com/2021/04/15/google-chrome-and-microsoft-edge-zero-day-remote-code-execution-vulnerability/