Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2021-21224

Disclosure Date: April 26, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

According to https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/ this appears to have been used along with CVE-2021-31955 and CVE-2021-31956, a Windows kernel information leak and a Windows LPE vulnerability, to form a full RCE to go from a user browsing a web page to full SYSTEM control over a target Windows device. This is an extremely powerful and valuable exploit chain, and many exploit brokers are willing to pay large sums of money for these chains as they often are very valuable to nation states who wish to use them for their intelligence operations.

Overall though, on its own it seems like this bug wasn’t super valuable as you only get RCE within the sandbox itself, which is why it was then chained with a Windows kernel bug to escape the Chrome sandbox and gain RCE as SYSTEM on the target device. Therefore the risk for this vulnerability alone is lower, however if we keep in mind the other bugs that existed at the time, the overall risk is quite high.

There also appears to have been public exploit code available for this vulnerability, available at https://github.com/avboy1337/1195777-chrome0day, which was potentially reused by the attackers. In any case at the time that code was released the bug was still unpatched which lead researchers at Kaspersky to conclude that its likely attackers used the code from https://github.com/avboy1337/1195777-chrome0day in their attack.

Otherwise this is your typical V8 type confusion bug. V8 seems to have had quite a few type confusion bugs in the past so this is nothing too new. If you want to limit exposure, disable JavaScript in your browser on untrusted sites, which will help prevent users from being exploited by these types of attacks as most of them rely on JavaScript to do set up the environment in Chrome appropriately. That being said disabling JavaScript will break most sites so take this with a grain of salt :)

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • debian,
  • fedoraproject,
  • google

Products

  • chrome,
  • debian linux 10.0,
  • fedora 32,
  • fedora 33,
  • fedora 34

Exploited in the Wild

Reported by:
Technical Analysis