Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2021-21166

Disclosure Date: March 09, 2021
CVE-2021-21166 CVSS v3 Base Score: 8.8
Exploited in the Wild
Reported by gwillcox-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Common in enterpriseUnauthenticatedVulnerable in default configuration
Technical Analysis

Reported as exploited in the wild at https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/ and at https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html.

Details are still scant on this vulnerability as they are being withheld by Google until more people have patched the issue, which was fixed in Chrome 89.0.4389.72. All that we know is that the bug is labeled as an Object lifecycle issue in audio and was found by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11.

Given the description of this vulnerability as well as its link to a similar vulnerability exploited in the wild in the past (see https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/), its likely that this is a UAF vulnerability. Given the one used in https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/ was a bug in the same component which was then used in the WizardOpium attacks, its likely that this vulnerability will lead to full compromise of the system given past history.

Users are encouraged to disable JavaScript where possible, particularly for untrusted sites, as this is often needed in order to successfully exploit UAF vulnerabilities in the browser. However this is only a temporary fix, and it is strongly encouraged that users instead upgrade to Chrome 89.0.4389.72 or later, Given there is already active exploitation of this vulnerability, and given the history of bugs within this component, there is a good possibility that we may see more widespread exploitation of this issue in the near future.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Chrome 89.0.4389.72
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • fedoraproject,
  • google

Products

  • chrome,
  • debian linux 10.0,
  • fedora 32,
  • fedora 33,
  • fedora 34

Exploited in the Wild

Reported by:
Technical Analysis