NinjaOperator's comment on CVE-2022-2294

Description

Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Add Assessment

gwillcox-r7 (579)

July 05, 2022 3:18am UTC (2 years ago)•Edited 2 years ago

Ratings

Attacker Value

High

Exploitability

Medium

Common in enterprise Unauthenticated Vulnerable in default configuration Difficult to weaponize

Technical Analysis

Looks like this was a heap buffer overflow in WebRTC which could allow for a drive by attack that would grant attackers RCE on a target system. No news as to whether or not this was used with a sandbox escape though, It was reported by Jan Vojtesek from the Avast Threat Intelligence team on 2022-07-01 according to https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html, yet interestingly https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html also note it affects Chrome for Android.

There is a real world exploit for this out in the wild but given the generally tight lipped news around this and that it was found from a threat intelligence team, I would imagine this may have been used in more targeted attacks, but still widely enough that a threat intelligence team picked up on it. Bit hard to tell though since I hadn’t heard about the Avast Threat Intelligence team prior to this; I imagine its possible one of their customers was targeted selectively and then they found out and notified Google.

With heap overflow bugs I generally err on the side of “well these things are harder to exploit” however with browsers you typically have access to a much wider arsenal to use for crafting the heap into a state that is desirable for exploitation purposes, so the risk is a bit higher here. That being said exploitation of such bugs tends to be a little more complex in most cases, particularly given recent mitigations. I’d still recommend patching this one if you can, but if not then you should try to disable WebRTC on your browsers until you can patch given in the wild exploitation.

See More &1 replySee Less

NinjaOperator (83) July 29, 2022 8:52pm UTC (2 years ago)

Excellent analysis. Thank you

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

apple,
fedoraproject,
google,
webkitgtk,
webrtc project,
wpewebkit

Products

chrome,
extra packages for enterprise linux 8.0,
fedora 35,
fedora 36,
ipados,
iphone os,
mac os x,
mac os x 10.15.7,
macos,
tvos,
watchos,
webkitgtk,
webrtc -,
wpe webkit

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Vendor Advisory (https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html)
Threat Feed (https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-2294.html)
News Article or Blog (https://securityaffairs.co/wordpress/132863/hacking/4th-chrome-zero-day.html)

Reported: July 05, 2022 3:04am UTC (2 years ago) • Edited 2 years ago

mkienow-r7 indicated sources as

Vendor Advisory (https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html)
Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: July 06, 2022 2:56pm UTC (2 years ago) • Edited 2 years ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/08/25/cisa-adds-ten-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:24am UTC (1 week ago)

References

Rapid7

High

CVE-2022-2294

High

Moderate

Required

None

Network

CVE-2022-2294

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

High

CVE-2022-2294

High

Moderate

Required

None

Network

CVE-2022-2294

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification