Moderate
CVE-2021-21224
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-21224
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
According to https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/ this appears to have been used along with CVE-2021-31955 and CVE-2021-31956, a Windows kernel information leak and a Windows LPE vulnerability, to form a full RCE to go from a user browsing a web page to full SYSTEM control over a target Windows device. This is an extremely powerful and valuable exploit chain, and many exploit brokers are willing to pay large sums of money for these chains as they often are very valuable to nation states who wish to use them for their intelligence operations.
Overall though, on its own it seems like this bug wasn’t super valuable as you only get RCE within the sandbox itself, which is why it was then chained with a Windows kernel bug to escape the Chrome sandbox and gain RCE as SYSTEM on the target device. Therefore the risk for this vulnerability alone is lower, however if we keep in mind the other bugs that existed at the time, the overall risk is quite high.
There also appears to have been public exploit code available for this vulnerability, available at https://github.com/avboy1337/1195777-chrome0day, which was potentially reused by the attackers. In any case at the time that code was released the bug was still unpatched which lead researchers at Kaspersky to conclude that its likely attackers used the code from https://github.com/avboy1337/1195777-chrome0day in their attack.
Otherwise this is your typical V8 type confusion bug. V8 seems to have had quite a few type confusion bugs in the past so this is nothing too new. If you want to limit exposure, disable JavaScript in your browser on untrusted sites, which will help prevent users from being exploited by these types of attacks as most of them rely on JavaScript to do set up the environment in Chrome appropriately. That being said disabling JavaScript will break most sites so take this with a grain of salt :)
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- fedoraproject,
Products
- chrome,
- debian linux 10.0,
- fedora 32,
- fedora 33,
- fedora 34
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Advisory
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: