Microsoft identified a memory corruption vulnerability in ChromeOS triggered remotely, which could allow attackers to carry out either a denial-of-service (DoS) or remote code execution (RCE).
Researchers mention that the flaw could be remotely triggered by manipulating audio metadata. Attackers would have tempted the users by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely.
The critical flaw is tracked as CVE-2022-2587 (CVSS score of 9.8) and the flaw was patched in June.
ChromeOS Security Features
In general, ChromeOS is a Linux-based operating system derived from the open-source Chromium OS and uses the Google Chrome web browser as its principal user interface. It runs on Chromebooks, Chromeboxes, Chromebits, and Chromebases.
* Hardened sandbox (called minijail)
* Verified boot
* Locked-down filesystem (mounted with noexec, nosuid, nodev) and dm-verity
* Root user restrictions (SECURE_NOROOT)
* When development mode is entered, all locally stored data is wiped
ChromeOS Vulnerabilities Fall into One of Three Different Classes:
* ChromeOS-specific logic vulnerabilities
* ChromeOS-specific memory-corruption vulnerabilities
* Broader threats such as Chrome browser vulnerabilities
The discovered vulnerability falls under the second class, ChromeOS-specific memory-corruption vulnerabilities.
“It was clear that the vulnerability could be triggered via changes to the audio metadata”, Researchers from Microsoft
Researchers state two interesting cases that could both be triggered remotely:
* From the browser: the browser’s media component invokes the function when metadata is changed, such as when playing a new song in the browser.
* From Bluetooth: the media session service in the operating system invokes the function when a song’s metadata changes, which can happen when playing a new song from a paired Bluetooth device.
Call tree displaying how the browser or Bluetooth media metadata changes ultimately trigger the vulnerable function
The flaw was identified in the CRAS (ChromiumOS Audio Server) component and could be triggered using malformed metadata associated with songs.
According to Microsoft, “The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE.”
“Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code”.
How to Defend Against the Evolving Threat?
Microsoft suggests organizations strictly monitor all devices and operating systems across platforms, including unmanaged devices.
Microsoft Defender for Endpoint’s device discovery capabilities helps out organizations locate unmanaged devices, including those running ChromeOS, and discover if they are being operated by attackers when they start performing network interactions with servers and other managed devices.