Attacker Value
Very High
(3 users assessed)
Exploitability
Low
(3 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium

Disclosure Date: October 10, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Add Assessment

4
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Low
Technical Analysis

Based on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.

An attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome’s quick patching mechanism means these vulns typically have a short shelf life, though the inability to force users to actually update is a limiting factor.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

Judging by the Kaspersky writeup, it looks like the vulnerability exists for a relatively large number of Chrome versions. Fix was released for 78.0.3904.87, and the exploit checks the range from 65-77. Despite the seemingly difficult development and execution of this exploit, this is an important one to patch.

1
Technical Analysis

Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

Though honestly you can just Google “WizardOpium” and find lots of articles such as https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/. This attack got a lot of news attention at the time due to its sophistication and the fact that it was used with a Windows kernel privilege elevation (see https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458 for more details on the kernel exploit), something that tends to only occur in advanced attacks due to the development effort required. Therefore its not hard to find articles discussing it being used in the wild.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • google,
  • opensuse

Products

  • chrome,
  • leap 15.1

Exploited in the Wild

Reported by:
Technical Analysis