Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
{"cve": [{"lastseen": "2023-12-03T15:54:51", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T23:15:00", "type": "cve", "title": "CVE-2022-3723", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-05-03T12:16:00", "cpe": [], "id": "CVE-2022-3723", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "qualysblog": [{"lastseen": "2022-11-02T20:29:49", "description": "As we head into the weekend, Google has released an emergency security update for the Chrome desktop web browser to address a high-severity vulnerability known to be exploited in the wild. This is the seventh Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-3723](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html?m=1>); **_QID 377721_**) is a type-confusion flaw in the Chrome V8 JavaScript engine.\n\n\n\nGoogle has not shared details on the nature of attacks in which this vulnerability is exploited but mentioned they are aware of reports that an exploit for this vulnerability exists in the wild.\n\nThe vulnerability is a \u201ctype confusion\u201d that affects the V8 component of Chrome. Typically, when a piece of code does not verify the type of object given to it and uses it blindly without type-checking, it leads to type confusion.\n\nType confusion can be extremely dangerous; sometimes, this can lead to code execution. By accessing memory regions that should not be accessible from the context of the application, an attacker could read sensitive information of other apps or cause crashes.\n\nAttacks on the V8 component of Chrome are not typical but are among the most dangerous. Google does not define the level of activity concerning the exploitation that exists in the wild, so whether attacks using [CVE-2022-3723](<https://www.cve.org/CVERecord?id=CVE-2022-3723>) are across-the-board or limited is unknown now.\n\n## Zero Day and Third-Party Applications\n\nZero-day attacks in third-party business applications are a preferred and easy way for threat actors to find their way into your organization. As such, ensuring all end users\u2019 desktops and laptops are patched \u2013 as soon as the zero-day fix is released is a critical task for every security and IT person.\n\nHowever, too many organizations struggle to remediate third-party application vulnerabilities expeditiously and oftentimes, rely on the application\u2019s auto-update mechanism. Unfortunately, auto-update may or may not work in a timely manner, and enforcement and tracking is challenging.\n\n## Respond Faster with Zero Touch\n\nIt is highly recommended to treat desktop and laptop patching differently than server and production patching. In most cases, the risk of patching a desktop application and breaking core business functionality is lower than causing a severe impact in a production environment. As such applying smart automation to your third-party applications on desktops and laptops will allow organizations to respond faster to new zero-day threats and do it all with little IT intervention or extra work. In other words, once the policy is created, everything else is Zero Touch.\n\n## Using Qualys and Zero-Touch Patching to Reduce Risk\n\nAs part of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>), Zero-Touch Patching intelligently identifies the riskiest products in the environment and helps create automation jobs to automatically deploy the proper patches and configuration changes required for remediating vulnerabilities.\n\nBased on Qualys patch prioritization report, applications are ranked based on the number of vulnerabilities they introduced to the environment. Common feedback we hear from our customers is that browsers, including Chrome, are in the top five (5) applications that introduced the most number of vulnerabilities, and therefore risk. Following the recommendation of this report, it is easy for customers to create automated, zero-touch patch jobs to automatically deploy patches to those top third-party applications. As Qualys supports patching these applications right out of the box, once those jobs are deployed, IT teams and security teams do not need any more time with remediation efforts every time a new patch is released. Aren't you tired of being a weekend remediation warrior?\n\n**_Qualys Patch Management > Prioritized Products > Windows > Chrome_**\n\nIf you are a Qualys customer that does not have Patch enabled, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly \u2013 it leverages the same VMDR agent - which will allow you to immediately deploy the Chrome patch to your environment and then create those automation jobs to ensure the next time Google or any other vendor releases a patch, your desktops and laptops are automatically updated.\n\n[Try Qualys Patch Management Today!](<https://www.qualys.com/apps/patch-management/>)\n\n## Contributors\n\n * Saeed Abbasi, Manager, Vulnerability Signatures, Qualys", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-28T22:07:37", "type": "qualysblog", "title": "Don\u2019t spend another weekend patching Chrome", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T22:07:37", "id": "QUALYSBLOG:2FF98A895C020ED1CE5E7F898BD6BA9A", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-28T20:49:22", "description": "As we head into the weekend, Google has released an emergency security update for the Chrome desktop web browser to address a high-severity vulnerability known to be exploited in the wild. This is the seventh Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-3723](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html?m=1>); QID 377721) is a type-confusion flaw in the Chrome V8 JavaScript engine.\n\nGoogle has not shared details on the nature of attacks in which this vulnerability is exploited but mentioned they are aware of reports that an exploit for this vulnerability exists in the wild.\n\nThe vulnerability is a \u201ctype confusion\u201d that affects the V8 component of Chrome. Typically, when a piece of code does not verify the type of object given to it and uses it blindly without type-checking, it leads to type confusion.\n\nType confusion can be extremely dangerous; sometimes, this can lead to code execution. By accessing memory regions that should not be accessible from the context of the application, an attacker could read sensitive information of other apps or cause crashes.\n\nAttacks on the V8 component of Chrome are not typical but are among the most dangerous. Google does not define the level of activity concerning the exploitation that exists in the wild, so whether attacks using CVE-2022-3723 are across-the-board or limited is unknown now.\n\n## Zero Day and 3rd-party Applications\n\nZero-day attacks in 3rd-party business applications are a preferred and easy way for threat actors to find their way into your organization. As such, ensuring all end users\u2019 desktops and laptops are patched \u2013 as soon as the zero-day fix is released is a critical task for every security and IT person.\n\nHowever, too many organizations struggle to remediate 3rd-party application vulnerabilities expeditiously and oftentimes, rely on the application\u2019s auto-update mechanism. Unfortunately, auto-update may or may not work in a timely manner and enforcement and tracking is challenging.\n\n## Respond Faster with Zero Touch\n\nIt is highly recommended to treat desktop and laptop patching differently than server and production patching. In most cases, the risk of patching a desktop application and breaking core business functionality is lower than causing severe impact in a production environment. As such applying smart automation to your 3rd-party applications on desktops and laptops will allow organizations to respond faster to new zero-day threats and do it all with little IT intervention or extra work. In other words, once the policy is created, everything else is Zero Touch.\n\n## Using Qualys and Zero-Touch Patching to Reduce Risk\n\nAs part of [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>), Zero-Touch Patching intelligently identifies the riskiest products in the environment and helps create automation jobs to automatically deploy the proper patches and configuration changes required for remediating vulnerabilities.\n\nBased on Qualys patch prioritization report, applications are ranked based on the number of vulnerabilities they introduced to the environment. Common feedback we hear from our customers is that browsers, including Chrome, are in the top 5 applications that introduced the most number of vulnerabilities, and therefore risk. Following the recommendation of this report, it is easy for customers to create automated, zero-touch patch jobs to automatically deploy patches to those top 3rd party applications. As Qualys supports patching these applications right out of the box, once those jobs are deployed, IT teams and security teams do not need any more time with remediation efforts every time a new patch is released. Aren't you tired of being a weekend remediation warrior?\n\n\n\nIf you are a Qualys customer that does not have Patch enabled, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly \u2013 it leverages the same VMDR agent - which will allow you to immediately deploy the Chrome patch to your environment and then create those automation jobs to ensure the next time Google or any other vendor releases a patch, your desktops and laptops are automatically updated.", "cvss3": {}, "published": "2022-10-28T19:40:19", "type": "qualysblog", "title": "Chrome Zero Day \u2013 Just Before the Weekend (again)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T19:40:19", "id": "QUALYSBLOG:E44F97839C7555E7A3CA4C08F8074CFD", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-29T20:08:31", "description": "As we come back from our Thanksgiving holidays, Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that exists in the wild. This is the eighth Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-4135](<https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html>); _QID 377794_) is a Heap buffer overflow in GPU.\n\nGoogle has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.\n\nGoogle\u2019s previous zero-day was also released right before a weekend (see [Don\u2019t spend another weekend patching Chrome](<https://blog.qualys.com/product-tech/2022/10/28/chrome-zero-day-cve-2022-3723>)).\n\n\n\n## Zero-touch patching of 3rd-party applications\n\nWhether Google Chrome, Microsoft Edge, Apple Safari or a host of other 3rd party applications, this is an easy way for bad actors to penetrate your corporate perimeter. And unfortunately, many of these vulnerabilities surface on weekends, and over holiday periods when the majority of IT and Security folks are away from the office and slower to respond.\n\nRemediating 3rd-party applications does not have to be difficult. The risk of patching a desktop application and breaking core business functionality is significantly lower compared to servers running in a production environment. As such applying smart automation to your third-party applications on desktops and laptops will allow organizations to respond faster to new zero-day threats and do it all with little IT intervention or extra work. In other words, once the policy is created, everything else is Zero Touch.\n\n## How Qualys Patch Management can help drive speed of remediation\n\n[Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>), smart-automation intelligently identifies the riskiest products in the environment and helps create automation jobs to deploy the proper patches and configuration changes required for remediating vulnerabilities, faster than any manual process.\n\nApplications are ranked based on the number of vulnerabilities they introduced to the environment. Common feedback we hear from our customers is that browsers, including Chrome, are in the top five (5) applications that introduced the greatest number of vulnerabilities, and therefore risk. Following the recommendation of this report, it is easy for customers to create automated, zero-touch patch jobs to automatically deploy patches to those top third-party applications. As Qualys supports patching these applications right out of the box, once those jobs are deployed, IT teams and security teams do not need to spend any more time with remediation efforts every time a new patch is released. Aren\u2019t you tired of being a weekend remediation warrior?\n\n\n\nIf you are a Qualys customer that does not have Patch enabled, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly \u2013 it leverages the same VMDR agent \u2013 which will allow you to immediately deploy the Chrome patch to your environment and then create those automation jobs to ensure the next time Google or any other vendor releases a patch, your desktops and laptops are automatically updated.\n\n[Try Qualys Patch Management Today!](<https://www.qualys.com/apps/patch-management/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-11-29T18:26:11", "type": "qualysblog", "title": "Don\u2019t Spend Your Holiday Season Patching Chrome", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3723", "CVE-2022-4135"], "modified": "2022-11-29T18:26:11", "id": "QUALYSBLOG:61F9CF49EC3AE08D7038DF2EB7A34AC9", "href": "https://blog.qualys.com/category/product-tech/patch-management", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-12-14T08:08:58", "description": "Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-4262](<https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html>); _QID 377804_) is a Type Confusion vulnerability in Chrome\u2019s V8 JavaScript Engine.\n\nGoogle has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.\n\nGoogle\u2019s previous zero-days were also released right before a weekend (see [Don\u2019t spend another weekend patching Chrome](<https://blog.qualys.com/product-tech/2022/10/28/chrome-zero-day-cve-2022-3723>) and [Don\u2019t Spend Your Holiday Season Patching Chrome](<https://blog.qualys.com/product-tech/patch-management/2022/11/29/dont-spend-your-holiday-season-patching-chrome>)).\n\n\n\n## Organizations respond, but slowly\n\nAnalyzing anonymized data from the Qualys data lake, the Qualys Threat Research Unit found for Chrome zero-day vulnerabilities introduced between February and August, more than 90% of these instances were remediated. However, it took 11-21 days to remediate via the Chrome patch. With the frequency of vulnerabilities released in this widely used browser and the fact that browsers, by their nature, are more exposed to external attacks, reducing the MTTR for those Chrome vulnerabilities is critical.\n\n2022 Chrome Zero-Day Vulnerabilities, MTTR\n\nOf the nine Chrome zero-day threats this year, five were introduced just before the weekend on a Thursday or Friday. Organizations that don't leverage automated patching must spend the weekend or holiday working on the manual, lengthy process of detecting vulnerable devices, preparing the Chrome patch, testing it, and deploying it to affected assets.\n\nCVE| Release Date| Day of the Week| Vulnerability Remediation Rate \n---|---|---|--- \nCVE-2022-0609| 2/14/2022| Monday| 94% \nCVE-2022-1096| 3/25/2022| **Friday**| 94% \nCVE-2022-1364| 4/14/2022| **Thursday**| 93% \nCVE-2022-2294| 7/4/2022| Monday| 93% \nCVE-2022-2856| 8/16/2022| Tuesday| 91% \nCVE-2022-3075| 9/2/2022| **Friday**| 85% \nCVE-2022-3723| 10/27/2022| **Thursday**| 65% \nCVE-2022-4135| 11/24/2022| **Thursday (Thanksgiving)**| 52% \nCVE-2022-4262| 12/2/2022| **Friday**| NA \n2022 Chrome Zero-Day vulnerability release dates and percentage of remediation\n\n## Qualys Patch Management speeds remediation\n\nThe Qualys Threat Research Unit has found on average critical vulnerabilities are weaponized in 15.9 days. Significantly reducing MTTR shortens the exposure window and improves an organization's risk posture.\n\n[Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) with Zero-Touch Patching allows organizations to use their Qualys Cloud Agent for vulnerability management and to deploy third-party application patches, including Chrome. If the Qualys Cloud Agent is installed on an asset, customers can patch it, regardless of any other deployed patch solution. By defining a simple zero-touch policy, assets can automatically deploy patches when the vendor releases a new one. If testing patches like Chrome is required before production deployment, automatically setup a zero-touch policy to deploy to a set of test devices before deploying the same tested patches to production devices.\n\nIf you are a Qualys customer without Patch Management, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly, leveraging the same agent used with VMDR. This allows you to immediately deploy the Chrome patch to your environment and create those automation jobs to ensure that the next time Google or any other vendor releases a patch, your assets are automatically updated.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-12-03T05:24:27", "type": "qualysblog", "title": "The 9th Google Chrome Zero-Day Threat this Year \u2013 Again Just Before the Weekend", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723", "CVE-2022-4135", "CVE-2022-4262"], "modified": "2022-12-03T05:24:27", "id": "QUALYSBLOG:058E013CF475F33D6DEBB8955340D15B", "href": "https://blog.qualys.com/category/product-tech/patch-management", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-27T00:08:39", "description": "# **Microsoft Patch Tuesday Summary**\n\nMicrosoft has fixed 65 new vulnerabilities (aka flaws) in the November 2022 update, including ten (10) vulnerabilities classified as **_[Critical](<https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system>)_** as they allow Denial of Service (DoS), Elevation of Privilege (EoP), and Remote Code Execution (RCE). This month's Patch Tuesday included a Microsoft Defense in Depth Update ([ADV220003](<https://msrc.microsoft.com/update-guide/vulnerability/ADV220003>)) and addressed six (6) known exploited zero-day vulnerabilities. Earlier this month, on November 2, 2022, Microsoft also released two (2) advisories for OpenSSL 3.x for Azure SDK for C++, C++ Library Manager for Windows (vcpkg), and Microsoft Azure Kubernetes Service ([CVE-2022-3602](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3602>), [CVE-2022-3786](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3786>)). \n\nMicrosoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution(RCE), Security Feature Bypass, and Spoofing.\n\n## **The November 2022 Microsoft Vulnerabilities are Classified as Follows:**\n\nIn total, Microsoft addressed 68 vulnerabilities: \n65 New CVEs on November 8th, two (2) CVEs on November 2nd, \nand one (1) [ADV220003](<https://msrc.microsoft.com/update-guide/vulnerability/ADV220003>).\n\n * [Microsoft Exploitability Index](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>)\n * [Microsoft Security Update Severity Rating System](<https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system>)\n\n* * *\n\n# OpenSSL 3.x **Critical Vulnerability** Highlights\n\n_[OpenSSL Vulnerability Recap](<https://blog.qualys.com/vulnerabilities-threat-research/2022/11/03/openssl-vulnerability-recap>) - [Travis Smith](<https://blog.qualys.com/author/tsmith>) VP, Malware Threat Research, Qualys_\n\n## **[CVE-2022-3602](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3602>), [CVE-2022-3786](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3786>) | OpenSSL: X.509 Certificate Verification Buffer Overrun**\n\nThe vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and is known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](<https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/>) for more information.\n\n * For more information and guidance see [Awareness and guidance related to OpenSSL 3.0 - 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602)](<https://msrc-blog.microsoft.com/2022/11/02/microsoft-guidance-related-to-openssl-risk-cve-2022-3786-and-cve-2202-3602/>).\n * Products Affected: [Azure SDK for C++, C++ Library Manager for Windows (vcpkg)](<https://devblogs.microsoft.com/cppblog/fix-for-high-risk-openssl-security-vulnerabilities-announced-guidance-for-vcpkg-users/>), and [Microsoft Azure Kubernetes Service](<https://github.com/Azure/AKS/issues/3299>)\n\n* * *\n\n\n\n[**OpenSSL 3.0.7 - What You Need to Know**](<https://gateway.on24.com/wcc/eh/3347108/lp/4012938/openssl-307-what-you-need-to-know>) | [QUALYS ON-DEMAND WEBINAR](<https://gateway.on24.com/wcc/eh/3347108/category/82812/on-demand-webinars>)\n\nWatch Now\n\n#### OpenSSL 3.x Related Blogs and Resources\n\n * [Qualys Research Alert: OpenSSL 3.0.7 \u2013 What You Need To Know](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/31/qualys-research-alert-prepare-for-a-critical-vulnerability-in-openssl-3-0>)\n * [OpenSSL Vulnerability Recap](<https://blog.qualys.com/vulnerabilities-threat-research/2022/11/03/openssl-vulnerability-recap>)\n * [Web Application Scanning - Open SSL Vulnerability](<https://vimeo.com/767696975>)\n * [CyberSecurity Asset Management (CSAM) OpenSSL Visibility](<https://on24static.akamaized.net/event/40/12/93/8/rt/1/documents/resourceList1667463573850/cybersecrityassetmanagementopensslstats1667463572081.pdf>)\n * [Are your applications vulnerable to the OpenSSL 3.x vulnerability?](<https://www.qualys.com/forms/openssl-3-vulnerability/>)\n\n* * *\n\n# Microsoft Addressed Six (6) **Zero-Day Vulnerabilities**\n\nA vulnerability is classified as a **_zero-day_** if it is publicly disclosed or actively exploited with no official fix available.\n\n### Microsoft Exchange _ProxyNotShell_ Zero-Day Fixed (CVE-2022-41040, CVE-2022-41082)\n\n**_IMPORTANT: Qualys has updated QID 50122 - Microsoft Exchange Server Multiple Vulnerabilities (ProxyNotShell)._**_ _\n\n* * *\n\n**A rescan will be required to update existing detections** with the updated Title, Threat, Solution, CVSSv2 Temporal Score, CVSSv3.1 Temporal Score, and multiple RTI updates including, but not limited to the addition of Exploit_Public, Unauthenticated_Exploitation, and Privilege_Escalation.\n\n* * *\n\nWhile [CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) and [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>) are not considered "new" advisories, per se, Microsoft has chosen to include them in their November 2022 Patch Tuesday release. The [**_ProxyNotShell_**](<https://tinyl.io/7JTp>) ([CVE-2022-41040](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>), [CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082>)) advisories have been updated by Microsoft indicating that patches are now available along with this month\u2019s Security Updates. \n\n * [Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d>)\n * [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](<https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/>)\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Detected**_\n\n* * *\n\n## [CVE-2022-41128](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128>)** | **Windows Scripting Languages Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.8 / 10.\n\nThis vulnerability affects the JScript9 scripting language, which is part of the component _Scripting Language_. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely.\n\nThis vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.\n\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n * Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>) Vulnerability\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Detected**_\n\n* * *\n\n## [CVE-2022-41073](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41073>)** | **Windows Print Spooler Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8 / 10.\n\n_The following content was corrected on 2022-11-26: _ Microsoft has not disclosed the technical details of this vulnerability in their [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41073>), stating only that an attacker who successfully exploited this Elevation of Privilege vulnerability could gain SYSTEM privileges. The advisory provides download links to address the flaw in 60 products.\n\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n * Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>) Vulnerability\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Detected**_\n\n* * *\n\n## [CVE-2022-41125](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41125>)** | **Windows CNG Key Isolation Service Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.8 / 10.\n\nAn attacker who successfully exploited this vulnerability could gain SYSTEM privileges.\n\n * Windows Next-generation Cryptography (CNG)\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Detected**_\n\n* * *\n\n## [CVE-2022-41091](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41091>)** | **Windows Mark of the Web Security Feature Bypass Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 5.4 / 10.\n\n_The following content was corrected on 2022-11-26: _ An attacker can craft a malicious file that would evade [Mark of the Web](<https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked#additional-information-about-mark-of-the-web>) (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.\n\n * In a web-based attack scenario, an attacker could host a malicious website that is designed to exploit the security feature bypass.\n * In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file that is designed to exploit the bypass.\n * Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.\n\nIn all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment.\n\nPlease see [Additional information about Mark of the Web](<https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked#additional-information-about-mark-of-the-web>) for further clarification.\n\n * Potential Impact [LOW](<https://www.first.org/cvss/>) for Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): _**Exploitation Detected**_\n\n* * *\n\n# **Microsoft Patch Tuesday Critical Vulnerability Highlights**\n\n## [CVE-2022-41080](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080>)** | Microsoft Exchange Server Elevation of Privilege (EoP) Vulnerability**\n\nThis vulnerability has a CVSSv3.1 score of 8.8 / 10.\n\nThe technical details are unknown, and an exploit is not publicly available. Applying a patch can eliminate this problem. Customers are advised to update their Exchange Server systems immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.\n\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n## [CVE-2022-37966](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966>)** | **Windows Kerberos RC4-HMAC Elevation of Privilege (EoP) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1 / 10.\n\nMicrosoft Released: Nov 8, 2022; Microsoft Last updated: Nov 17, 2022\n\nQualys blog updated Nov 26, 2022:\n\n**There is a known issue documented in the security updates that address this vulnerability, where Kerberos authentication might fail for user, computer, service, and GMSA accounts when serviced by Windows domain controllers that have installed Windows security updates released on November 8, 2022. Has an update been released that addresses this known issue?**\n\nYes. The issue is addressed by out-of-band updates released to [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Home.aspx>) on and after November 17, 2022. Customers who have not already installed the security updates released on November 8, 2022, should install the out-of-band updates instead. Customers who have already installed the November 8, 2022, Windows security updates and who are experiencing issues should install the out-of-band updates.\n\nFor more information about these updates, please see the OS version-specific info on [Windows release health](<http://aka.ms/wrh>) at the following links:\n\n * <https://learn.microsoft.com/en/windows/release-health/status-windows-11-22h2#2953msgdesc>\n * <https://learn.microsoft.com/en/windows/release-health/status-windows-11-21h2#2953msgdesc>\n * <https://learn.microsoft.com/en/windows/release-health/status-windows-server-2022#2953msgdesc>\n * <https://learn.microsoft.com/en/windows/release-health/status-windows-10-22h2#2953msgdesc>\n * <https://learn.microsoft.com/en/windows/release-health/status-windows-10-21h2#2953msgdesc>\n * [https://learn.microsoft.com/en/windows/release-health/status-windows-10-21h1#2953msgdesc](<https://learn.microsoft.com/en/windows/release-health/status-windows-10-21h1#2953msgdesc%5D>)\n * [https://learn.microsoft.com/en/windows/release-health/status-windows-10-20h2#2953msgdesc](<https://msrc.microsoft.com/update-guide/vulnerability/%5Bhttps://learn.microsoft.com/en/windows/release-health/status-windows-10-20h2#2953msgdesc>)\n * <https://learn.microsoft.com/en/windows/release-health/status-windows-10-1809-and-windows-server-2019#2953msgdesc>\n\nFor more information please see the **Known Issues** section of [How to manage the Kerberos Protocol changes related to CVE-2022-37966](<https://support.microsoft.com/help/5021131>).\n\nSuccessful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment.\n\n * For more information, please see [How to manage the Kerberos Protocol changes related to CVE-2022-37966](<https://support.microsoft.com/help/5021131>).\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n * Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>) Vulnerability\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n## [CVE-2022-41044](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41044>)** | **Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1 / 10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.\n\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n * Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>) Vulnerability\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n## [CVE-2022-41088](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41088>)** | **Windows Point-to-Point Tunneling Protocol Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1 / 10.\n\nSuccessful exploitation of this vulnerability requires an attacker to win a race condition. This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.\n\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n * Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>) Vulnerability\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation Less Likely_**\n\n* * *\n\n## [CVE-2022-41118](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41118>)** | **Windows Scripting Languages Remote Code Execution (RCE) Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.5 / 10.\n\nThis vulnerability impacts both the JScript9 and Chakra scripting languages, which are both parts of the component _Scripting Language_. Successful exploitation requires user interaction by the victim. The attack may be initiated remotely.\n\nThis vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website, but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.\n\n * Potential Impact [HIGH](<https://www.first.org/cvss/>) for Confidentiality, Integrity, and Availability. \n * A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available.\n * Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>) Vulnerability\n\n[Exploitability Assessment](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>): **_Exploitation More Likely_**\n\n* * *\n\n# **Microsoft Release Summary**\n\nThis month\u2019s [Release Notes](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Nov>) cover multiple Microsoft product families, including Azure, Developer Tools, Extended Security Updates [(ESU)](<https://docs.microsoft.com/en-us/lifecycle/faq/extended-security-updates>), Microsoft Dynamics, Microsoft Office, Open Source Software, and Windows.\n\nA total of 39 unique Microsoft products, features, and roles, including but not limited to Azure CLI, Microsoft Exchange Server Cumulative Update, Windows Endpoint, Windows Server, and Windows Server 2022 Datacenter: Azure Edition (Hotpatch) were included in this release.\n\nDownloads include Cumulative Updates, IE Cumulative, Monthly Rollups, Security Hotpatch Updates, Security Only, and Security Updates.\n\n* * *\n\n# **Adobe Security Bulletins and Advisories**\n\n**For November 2022, Adobe released no patches at all**. They've released as few as one in the past, but this is the first month in the last six years where they had no fixes at all. [_Source_](<https://www.zerodayinitiative.com/blog/2022/11/8/the-november-2022-security-update-review#:~:text=Adobe%20Patches%20for%20November%202022,on%20Election%20Day%20since%202016.>)\n\n* * *\n\n# **About Qualys Patch Tuesday**\n\nQualys Patch Tuesday QIDs are published as [Security Alerts](<https://www.qualys.com/research/security-alerts/>) typically late in the evening on the day of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed later by the publication of the monthly queries for the [Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard](<https://success.qualys.com/discussions/s/article/000006821>) by 1 pm PT on Wednesday.\n\n* * *\n\n#### [Qualys Microsoft Security Alert, November 8, 2022](<https://www.qualys.com/research/security-alerts/2022-11-08/microsoft/>)\n\nQID | TITLE \n---|--- \n48223 | Microsoft Exchange Server Uniform Resource Locator (URL) Rewrite Mitigation Applied for ProxyNotShell \n50122 | Microsoft Exchange Server Multiple Vulnerabilities (ProxyNotShell) \n50123 | Microsoft Exchange Server Multiple Vulnerabilities for November 2022 \n91954 | Microsoft .NET Framework Information Disclosure Vulnerability for November 2022 \n91956 | Microsoft Windows Security Update for November 2022 \n91957 | Microsoft Windows Server Elevation of Privilege Vulnerability for November 2022 \n91958 | Microsoft Dynamics Business Central Information Disclosure Vulnerability for November 2022 \n91959 | Microsoft Azure Stack Hub Security Updates for November 2022 \n91960 | Microsoft Visual Studio Security Updates for November 2022 \n110419 | Microsoft Office Security Update for November 2022 \n110420 | Microsoft SharePoint Server and Foundation Update for November 2022 \n \n* * *\n\n# Qualys Threat Research Blog Posts\n\n_Published in the Last 30 days; Most Recent First_\n\n * [OpenSSL Vulnerability Recap](<https://blog.qualys.com/vulnerabilities-threat-research/2022/11/03/openssl-vulnerability-recap>)\n * [Qualys Research Alert: OpenSSL 3.0.7 \u2013 What You Need To Know](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/31/qualys-research-alert-prepare-for-a-critical-vulnerability-in-openssl-3-0>)\n * [Qualys Research Team: Threat Thursdays, October 2022](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/27/october-2022-threat-thursday>)\n * [Text4Shell: Detect, Prioritize and Remediate The Risk Across On-premise, Cloud, Container Environment Using Qualys Platform](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/27/text4shell-detect-prioritize-and-remediate-the-risk-across-on-premise-cloud-container-environment-using-qualys-platform>)\n * [Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973) ](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/25/leeloo-multipath-authorization-bypass-and-symlink-attack-in-multipathd-cve-2022-41974-and-cve-2022-41973>)\n * [CVE-2022-42889: Detect Text4Shell via Qualys Container Security](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/25/cve-2022-44889-detect-text4shell>)\n * [Creating Awareness of External JavaScript Libraries in Web Applications](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/12/creating-awareness-of-external-javascript-libraries-in-web-applications>)\n * [JSON Web Token (JWT) Weaknesses](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/11/json-web-token-jwt-weaknesses>)\n\n* * *\n\n# **Qualys [Threat Protection](<https://www.qualys.com/apps/threat-protection/>) High-Rated Advisories**\n\nPublished between October 13, - November 9, 2022, Most Recent First\n\n * [Open Secure Sockets Layer (OpenSSL) Patches High Severity Vulnerabilities (CVE-2022-3602 and CVE-2022-3786)](<https://threatprotect.qualys.com/2022/10/31/openssl-pre-notification-alert-for-a-critical-severity-vulnerability/>)\n * [Google Patches Zero-day vulnerability in Chrome Browser (CVE-2022-3723)](<https://threatprotect.qualys.com/2022/10/29/google-patches-zero-day-vulnerability-in-chrome-browser-cve-2022-3723/>)\n * [Google Chrome Releases New Version to Address Multiple Vulnerabilities](<https://threatprotect.qualys.com/2022/10/26/google-chrome-releases-new-version-to-address-multiple-vulnerabilities/>)\n * [Oracle Releases 370 Security Patches for Various Oracle Products in October 2022 Patch Tuesday](<https://threatprotect.qualys.com/2022/10/19/oracle-releases-370-security-patches-for-various-oracle-products-in-october-2022-patch-tuesday/>)\n * [Apache Commons Arbitrary Code Execution Vulnerability (Text4Shell) (CVE-2022-42889)](<https://threatprotect.qualys.com/2022/10/18/apache-commons-arbitrary-code-execution-vulnerability-text4shell-cve-2022-42889/>)\n\n* * *\n\n# **Discover and Prioritize Vulnerabilities in **[Vulnerability Management Detection Response](<https://www.qualys.com/apps/vulnerability-management-detection-response/>)** **(VMDR)\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its KnowledgeBase (KB). \n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n \n \n **Query: **vulnerabilities.vulnerability:( qid:`48223` OR qid:`50122` OR qid:`50123` OR qid:`91954` OR qid:`91956` OR qid:`91957` OR qid:`91958` OR qid:`91959` OR qid:`91960` OR qid:`110419` OR qid:`110420` )\n\n\n\n [In-Depth Look Into Data-Driven Science Behind Qualys TruRisk](<https://blog.qualys.com/vulnerabilities-threat-research/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk>)\n\n [Qualys VMDR Recognized as Best VM Solution by SC Awards 2022 & Leader by GigaOm](<https://blog.qualys.com/product-tech/2022/08/22/qualys-vmdr-recognized-as-best-vm-solution-by-sc-awards-2022-leader-by-gigaom>)\n\n [A Deep Dive into VMDR 2.0 with Qualys TruRisk\u2122](<https://blog.qualys.com/product-tech/2022/08/08/a-deep-dive-into-vmdr-2-0-with-qualys-trurisk>)\n\n* * *\n\n# **Rapid Response with **[Patch Management](<https://www.qualys.com/apps/patch-management/>) (PM)\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches with one click.\n\nThe following QQL will return the missing patches for this Patch Tuesday:\n \n \n **QUERY:** ( qid:`48223` OR qid:`50122` OR qid:`50123` OR qid:`91954` OR qid:`91956` OR qid:`91957` OR qid:`91958` OR qid:`91959` OR qid:`91960` OR qid:`110419` OR qid:`110420` )\n\n\n\n [Get Your Patch Tuesday Vulnerabilities Patched on Tuesday](<https://blog.qualys.com/qualys-insights/2022/11/08/get-your-patch-tuesday-vulnerabilities-patched-on-tuesday>) **_New_**\n\n [Why Organizations Struggle with Patch Management (and What to Do about It)](<https://tinyl.io/79TY>)\n\n [Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications](<https://blog.qualys.com/qualys-insights/2022/09/08/let-smart-automation-reduce-the-risk-of-zero-day-attacks-on-third-party-applications-2>)\n\n [Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0](<https://blog.qualys.com/product-tech/2022/06/22/risk-based-remediation-powered-by-patch-management-in-qualys-vmdr-2-0>)\n\n* * *\n\n# Extend the Power of VMDR to Enterprise Mobile Devices with Qualys [VMDR Mobile](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>) **_New_**\n\nQualys VMDR for enterprise mobile devices provides comprehensive visibility and continuously assesses device, OS, apps, and network vulnerabilities including critical device configurations of mobile devices across your enterprise.\n\nAs mobile devices have become ubiquitous in almost every business process, whether in bank branches, manufacturing sites, or retail stores, they are now hosting business applications and data that is subject to regulatory compliance and security. With access to critical corporate resources inside the corporate network, these mobile devices have become critical assets for organizations, and organizations are facing a new set of security challenges and risks.\n\nQID | Title \n---|--- \n610439 | Google Android October 2022 Security Patch Missing for Huawei EMUI \n610440 | Apple iOS 15.7.1 and iPadOS 15.7.1 Security Update Missing \n610438 | Google Android October 2022 Security Patch Missing for Samsung \n610436 | Google Pixel Android October 2022 Security Patch Missing \n610437 | Google Android Devices October 2022 Security Patch Missing \n610441 | Apple iOS 16.1 and iPadOS 16 Security Update Missing \n \nQualys' Vulnerability Management, Detection, and Response (VMDR) solution extends its power to mobile devices. It provides an in-depth inventory of mobile devices, real-time visibility into vulnerabilities and critical device settings, and built-in remediation with patch orchestration for all Android and iOS/iPadOS devices across the enterprise. An end-to-end solution for mobile device security.\n\nYou can visualize all your impacted mobile devices with vulnerabilities using the following QQL query:\n \n \n **Query:** vulnerabilities.vulnerability:( qid:`610439` OR qid:`610440` OR qid:`610438` OR qid:`610436` OR qid:`610437` OR qid:`610441` ) \n\n\n\n**[VMDR Mobile Blogs](<https://blog.qualys.com/tag/vmdr-for-mobile-devices>) **| Qualys, Inc.\n\nQualys VMDR Mobile [**User Guide**](<https://www.qualys.com/docs/qualys-vmdr-mobile-user-guide.pdf>) Version 1.5.0 (June 20, 2022) | Qualys, Inc > [**Documentation**](<https://www.qualys.com/documentation/>)\n\n[**Request a Free VMDR Mobile Trial**](<https://www.qualys.com/apps/vulnerability-management-detection-response/mobile-devices/>)\n\nVMDR Mobile is an out-of-the-box solution that\u2019s centrally managed and self-updating.\n\n* * *\n\n# EXECUTE Mitigation Using [Custom Assessment and Remediation](<https://tinyl.io/79UY>) (CAR)\n\n[Qualys Custom Assessment and Remediation](<https://www.qualys.com/apps/custom-assessment-remediation/>) empowers a system administrator to quickly and easily perform configuration updates on your technology infrastructure when the current situation requires the implementation of a vendor-suggested mitigation or workaround.\n\n**_Mitigation_** refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.\n\nA **_workaround_** is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn\u2019t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. [_Source_](<https://www.techtarget.com/whatis/definition/workaround>)\n\nCustomers can perform the provided mitigation steps by creating a PowerShell script and executing the script on vulnerable assets.\n\n**IMPORTANT: ** Scripts tend to change over time. **_Please refer to the Qualys GitHub Tuesday Patch [link](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch>) to ensure the most current version of a given [Patch Tuesday script](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch>) is in use._**\n\n* * *\n\n## [CVE-2022-37967](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967>) | Windows Kerberos Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.2 / 10.\n\n[Exploitability Assessment:](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>) **_Exploitation More Likely_**\n\n#### **Take Action > **[**KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967**](<https://support.microsoft.com/help/5020805>)\n\nTo help protect your environment and prevent outages, we recommend that you take the following steps: \n\n 1. **UPDATE** your Windows domain controllers with a Windows update released on or after November 8, 2022.\n 2. **MOVE** your Windows domain controllers to Audit mode by using the Registry Key setting section.\n 3. **MONITOR** events filed during Audit mode to secure your environment.\n 4. **ENABLE **Enforcement mode to address [CVE-2022-37967](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967>) in your environment.\n\n**NOTE**: **_Step 1 of installing updates released on or after November 8, 2022, will not address the security issues in [CVE-2022-37967](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967>) for Windows devices by default._** **To fully mitigate the security issue for all devices**, you must move to Audit mode (described in Step 2) followed by Enforcement Mode (described in Step 4) as soon as possible on all Windows domain controllers. \n\n#### Leverage [Custom Assessment and Remediation](<https://tinyl.io/79UY>) for [CVE-2022-37967 Kerberos EOP Vuln](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch/2022/November/CVE-2022-37967%20Kerberos%20EOP%20Vuln>) to Execute Step #2: **[Enable Audit Mode](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch/2022/November/CVE-2022-37967%20Kerberos%20EOP%20Vuln/Enable%20Audit%20Mode>)**:\n \n \n if (Test-Path -path registry::HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc -ErrorAction Ignore){\n reg add \"HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc\" /v KrbtgtFullPacSignature /t REG_DWORD /d '2' /f | Out-Null\n Write-Output \"Audit mode has been enabled for CVE-2022-37967 mitigation. Value '2' has been configured for KrbtgtFullPacSignature\"\n }\n else {\n Write-Output \" 'HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc' key not found\"\n }\n\n\n\n#### Leverage [Custom Assessment and Remediation](<https://tinyl.io/79UY>) for [CVE-2022-37967 Kerberos EOP Vuln](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch/2022/November/CVE-2022-37967%20Kerberos%20EOP%20Vuln>) to Execute Step #4: [Enable Enforcement Mode](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch/2022/November/CVE-2022-37967%20Kerberos%20EOP%20Vuln/Enable%20Enforcement%20Mode>):\n \n \n if (Test-Path -path registry::HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc -ErrorAction Ignore){\n reg add \"HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc\" /v KrbtgtFullPacSignature /t REG_DWORD /d '3' /f | Out-Null\n Write-Output \"Enforcement mode has been enabled for CVE-2022-37967 mitigation. Value '3' has been configured for KrbtgtFullPacSignature\"\n }\n else {\n Write-Output \"'HKEY_LOCAL_MACHINE\\System\\currentcontrolset\\services\\kdc' key not found\"\n }\n\n\n\n* * *\n\n## [CVE-2022-38023](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38023>) | Netlogon RPC Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1 / 10.\n\n[Exploitability Assessment:](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>) **_Exploitation More Likely_**\n\nNote: This update protects Windows devices from CVE-2022-38023 by default. For third-party clients and third-party domain controllers, the update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.\n\n#### Leverage [Custom Assessment and Remediation](<https://tinyl.io/79UY>) for [CVE-2022-38023 - Netlogon RPC EOP Vuln](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/tree/main/Tuesday%20Patch/2022/November/CVE-2022-38023%20-%20Netlogon%20RPC%20EOP%20Vuln>) to [Enable Enforcement Mode](<https://github.com/Qualys/Custom-Assessment-and-Remediation-Script-Library/blob/main/Tuesday%20Patch/2022/November/CVE-2022-38023%20-%20Netlogon%20RPC%20EOP%20Vuln/Enable%20Enforcement%20for%20CVE-2022-38023.ps1>):\n \n \n if (Test-Path -path registry::HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters -ErrorAction Ignore){\n reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters\" /v RequireSeal /t REG_DWORD /d '2' /f | Out-Null\n Write-Output \"Enforcement mode has been enabled for CVE-2022-38023 mitigation for third-party clients and third-party domain controllers. Value '2' has been configured for RequireSeal\"\n }\n else {\n Write-Output \"'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters' key not found\"\n }\n\n\n\n* * *\n\n# **EVALUATE Vendor-Suggested Mitigation with **[**Policy Compliance**](<https://www.qualys.com/forms/policy-compliance/>) (PC)\n\n[Qualys Policy Compliance Control Library](<https://vimeo.com/700790353>) makes it easy to evaluate your technology infrastructure when the current situation requires implementation validation of a vendor-suggested mitigation or workaround.\n\n**_Mitigation_** refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability.\n\nA **_workaround_** is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn\u2019t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned. [_Source_](<https://www.techtarget.com/whatis/definition/workaround>)\n\nThe following [Qualys Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC) ](<https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/module_pc/controls/controls_lp.htm>)have been updated to support Microsoft recommended mitigation(s) for this Patch Tuesday:\n\n## [CVE-2022-37967](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967>) | Windows Kerberos Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 7.2 / 10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **25167** Status of the 'KrbtgtFullPacSignature' setting for the Kerberos\n\n[As per KB5020805, this mitigation should be applied after the patch ](<https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb>)\n\nNOTE: To help protect your environment and prevent outages, [we have outlined the Qualys recommended remediation steps above](<https://blog.qualys.com/vulnerabilities-threat-research/2022/11/08/november-2022-patch-tuesday#QLYS-Recommendation-37967>) and provided Qualys Custom Assessment and Remediation (CAR) supporting scripts.\n\n[Exploitability Assessment:](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>) **_Exploitation More Likely_**\n\n* * *\n\n## [CVE-2022-38023](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38023>) | Netlogon RPC Elevation of Privilege Vulnerability\n\nThis vulnerability has a CVSSv3.1 score of 8.1 / 10.\n\nPolicy Compliance Control IDs (CIDs):\n\n * **25168 ** Status of the 'RequireSeal' setting for the Netlogon Remote Protocol\n\n[As per KB5021130, this mitigation should be applied after the patch ](<https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25>)\n\nNOTE: To help protect your environment and prevent outages, [we have outlined the Qualys recommended remediation steps above](<https://blog.qualys.com/vulnerabilities-threat-research/2022/11/08/november-2022-patch-tuesday#QLYS-Recommendation-38023>) and provided Qualys Custom Assessment and Remediation (CAR) supporting scripts.\n\n[Exploitability Assessment:](<https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1>) **_Exploitation More Likely_**\n\n* * *\n\n# **Patch Tuesday is Complete.**\n\n* * *\n\n# [This Month in Vulnerabilities and Patches](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>) Webinar Series \n\n[](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\n[Subscribe Now](<https://gateway.on24.com/wcc/eh/3347108/category/97049/patch-tuesday>)\n\nThe Qualys Product Management and Threat Research team members host a monthly webinar series to help our existing customers leverage the seamless integration between [Qualys Vulnerability Management Detection Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) and [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>). Combining these two solutions can reduce the median time to remediate critical vulnerabilities. \n\nDuring the webcast, this month\u2019s Patch Tuesday high-impact vulnerabilities will be discussed. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.\n\n* * *\n\n# UPCOMING EVENTS\n\n* * *\n\nThe content within this section will spotlight upcoming Vulnerability Management, Patch Management, Threat Protection, Custom Assessment and Remediation, and Policy Compliance adjacent events available to our prospective, new, and existing customers.\n\n## [**WEBINARS**](<https://gateway.on24.com/wcc/eh/3347108/category/91385/upcoming-webinars>)\n\n## Qualys Workshop Wednesday\n\n[](<https://gateway.on24.com/wcc/eh/3347108/category/111238/workshop-wednesday>)**For our December 7th session, we will cover security compliance with Qualys Cloud. **\n\n[Subscribe Now](<https://gateway.on24.com/wcc/eh/3347108/category/111238/workshop-wednesday>)\n\nAt Qualys Inc, providing cybersecurity through technology is what we do. Join us each month as we tap into the minds of Qualys experts to share how you can get the most out of your investment and understand ways in which you can quickly reduce your cyber risk exposure using the Qualys Cloud Platform. Each 45-minute monthly session, hosted on the first Wednesday of the month, will showcase practical hands-on tips and tricks, news on new capabilities and services, as well as useful customer success stories that can help you get the most out of the Qualys Cloud Platform. \n\n* * *\n\n## Qualys Threat Thursdays\n\n[](<https://gateway.on24.com/wcc/eh/3347108/category/111445/threat-thursday>)November 2022 Threat Thursday Topic is **[Empire](<https://github.com/EmpireProject>)**, an Open-Source cross-platform post-exploitation framework that has been in active development since 2015.\n\n[Subscribe Now](<https://gateway.on24.com/wcc/eh/3347108/category/111445/threat-thursday>)\n\nThe Qualys Threat Research team invites you to join their regular monthly webinar series covering the latest threat intelligence analysis and insight. \n\nNever miss an update. [Subscribe Today](<https://gateway.on24.com/wcc/eh/3347108/category/111445/threat-thursday>)!\n\n[Click Here](<https://tinyl.io/79BC>) to quickly navigate to Qualys Threat Thursday blog posts.\n\n* * *\n\n## [**CONFERENCES**](<https://www.qualys.com/qsc/locations/>)\n\n_**Sessions and Keynotes will be available on the Qualys site in the coming days.**_\n\n## [Qualys Security Blog | Expert Network Security Guidance and News](<https://blog.qualys.com/>)\n\n * [**QSC 2022 Kickoff: Quantifying and Qualifying Digital Cyber Risks**](<https://blog.qualys.com/qualys-insights/2022/11/09/qsc-2022-kickoff-quantifying-and-qualifying-digital-cyber-risks>)\n * **[QSC 2022 Day 1 Recap: Qualys Gives Organizations More Security in an Ever-Expanding Threat Landscape](<https://blog.qualys.com/qualys-insights/2022/11/10/qsc-2022-day-1-recap-qualys-gives-organizations-more-security-in-an-ever-expanding-threat-landscape>)**\n * [**QSC 2022: Qualys\u2019 Threat Research Unit (TRU) \u2013 Our Shield Is Your Shield**](<https://blog.qualys.com/vulnerabilities-threat-research/2022/11/10/qsc-2022-qualys-threat-research-unit-tru-our-shield-is-your-shield>) _**New**_\n\n* * *\n\n\n\n[Click Here for More Info](<https://www.qualys.com/qsc>)\n\n* * *\n\n#### This month\u2019s blog content is the result of collaboration with and contributions from:\n\n_In order of appearance_\n\n * Quote: [Travis Smith](<https://blog.qualys.com/author/tsmith>) VP, Malware Threat Research, Qualys\n * QID Content: Arun Kethipelly, Manager, Signature Engineering\n * QID Content: Dianfang (Sabrina) Gao, Lead, QA Engineer\n * VMDR Mobile Content: [Swapnil Ahirrao](<https://blog.qualys.com/author/sahirrao>), Principal Product Manager, VMDR\n * VMDR Mobile Content: Swapnil Bhoskar, Lead, Security Signature Engineer\n * CAR Content: Mukesh Choudhary, Compliance Research Analyst\n * CAR Content: [Lavish Jhamb](<https://blog.qualys.com/author/ljhamb>), Solution Architect, Compliance Solutions\n * PC Content: Xiaoran (Alex) Dong, Manager, Compliance Signature Engineering\n\n* * *", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-08T21:00:00", "type": "qualysblog", "title": "November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities with 10 Critical; Adobe Releases Zero Advisories (for the first time in six years).", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3602", "CVE-2022-3723", "CVE-2022-3786", "CVE-2022-37966", "CVE-2022-37967", "CVE-2022-38023", "CVE-2022-41040", "CVE-2022-41044", "CVE-2022-41073", "CVE-2022-41080", "CVE-2022-41082", "CVE-2022-41088", "CVE-2022-41091", "CVE-2022-41118", "CVE-2022-41125", "CVE-2022-41128", "CVE-2022-41973", "CVE-2022-41974", "CVE-2022-42889", "CVE-2022-44889", "CVE-2202-3602"], "modified": "2022-11-08T21:00:00", "id": "QUALYSBLOG:5A5DF56C2B4E5DB4176574A83F54FECB", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 0.0, "vector": "NONE"}}], "cnvd": [{"lastseen": "2022-12-06T11:23:22", "description": "Google Chrome is a web browser from Google, Inc. A security vulnerability exists in Google Chrome that could be exploited by attackers to execute arbitrary code or cause a denial of service on a system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-31T00:00:00", "type": "cnvd", "title": "Google Chrome V8 Code Execution Vulnerability (CNVD-2022-85092)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-12-06T00:00:00", "id": "CNVD-2022-85092", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-85092", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-10-27T12:58:09", "description": "The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2022:10218-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-27T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : opera (openSUSE-SU-2022:10218-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2022-10218-1.NASL", "href": "https://www.tenable.com/plugins/nessus/168203", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10218-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168203);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n\n script_name(english:\"openSUSE 15 Security Update : opera (openSUSE-SU-2022:10218-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the\nopenSUSE-SU-2022:10218-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AUXLEW4XOFSF5F25BFYCIF4VH46PGPXO/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?120995fe\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/SuSE/release');\nif (isnull(os_release) || os_release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar _os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:os_release);\nif (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\n_os_ver = _os_ver[1];\nif (os_release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', os_release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);\n\nvar pkgs = [\n {'reference':'opera-93.0.4585.11-lp153.2.69.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var _cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'opera');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:56:00", "description": "The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2022:10219-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-27T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : opera (openSUSE-SU-2022:10219-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.4"], "id": "OPENSUSE-2022-10219-1.NASL", "href": "https://www.tenable.com/plugins/nessus/168202", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10219-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168202);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/20\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n\n script_name(english:\"openSUSE 15 Security Update : opera (openSUSE-SU-2022:10219-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the\nopenSUSE-SU-2022:10219-1 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M3YSR5SGLX4ZWKZX5LU5PNOXUXPMIUPR/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0dc5a900\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.4\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/SuSE/release');\nif (isnull(os_release) || os_release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar _os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:os_release);\nif (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\n_os_ver = _os_ver[1];\nif (os_release !~ \"^(SUSE15\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.4', os_release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);\n\nvar pkgs = [\n {'reference':'opera-93.0.4585.11-lp154.2.29.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var _cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'opera');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:07", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 107.0.1418.26. It is, therefore, affected by a vulnerability as referenced in the October 31, 2022 advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-01T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 107.0.1418.26 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_107_0_1418_26.NASL", "href": "https://www.tenable.com/plugins/nessus/166749", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166749);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 107.0.1418.26 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 107.0.1418.26. It is, therefore, affected\nby a vulnerability as referenced in the October 31, 2022 advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#october-31-2022\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ff54e40b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 107.0.1418.26 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nvar constraints = [\n { 'fixed_version' : '106.0.1370.61', 'fixed_display' : '106.0.1370.61 (Extended Stable Channel) / 107.0.1418.26 (Stable Channel)' },\n { 'min_version' : '107.0.1418.24', 'fixed_version' : '107.0.1418.26' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:06", "description": "The version of Google Chrome installed on the remote macOS host is prior to 107.0.5304.87. It is, therefore, affected by a vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-27T00:00:00", "type": "nessus", "title": "Google Chrome < 107.0.5304.87 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_107_0_5304_87.NASL", "href": "https://www.tenable.com/plugins/nessus/166630", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166630);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Google Chrome < 107.0.5304.87 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 107.0.5304.87. It is, therefore, affected by\na vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88b3eec6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1378239\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 107.0.5304.87 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'107.0.5304.87', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:06", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5263 advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-30T00:00:00", "type": "nessus", "title": "Debian DSA-5263-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:11.0", "p-cpe:/a:debian:debian_linux:chromium", "p-cpe:/a:debian:debian_linux:chromium-driver", "p-cpe:/a:debian:debian_linux:chromium-l10n", "p-cpe:/a:debian:debian_linux:chromium-common", "p-cpe:/a:debian:debian_linux:chromium-shell", "p-cpe:/a:debian:debian_linux:chromium-sandbox"], "id": "DEBIAN_DSA-5263.NASL", "href": "https://www.tenable.com/plugins/nessus/166704", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-5263. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166704);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Debian DSA-5263-1 : chromium - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5263\nadvisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/chromium\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2022/dsa-5263\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-3723\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/chromium\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 107.0.5304.87-1~deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-l10n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-sandbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium-shell\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar debian_release = get_kb_item('Host/Debian/release');\nif ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');\ndebian_release = chomp(debian_release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'chromium', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-common', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-driver', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-l10n', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-sandbox', 'reference': '107.0.5304.87-1~deb11u1'},\n {'release': '11.0', 'prefix': 'chromium-shell', 'reference': '107.0.5304.87-1~deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var _release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (_release && prefix && reference) {\n if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium / chromium-common / chromium-driver / chromium-l10n / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:56", "description": "The version of Google Chrome installed on the remote Windows host is prior to 107.0.5304.87/.88. It is, therefore, affected by a vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-27T00:00:00", "type": "nessus", "title": "Google Chrome < 107.0.5304.87/.88 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-21T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_107_0_5304_87.NASL", "href": "https://www.tenable.com/plugins/nessus/166631", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166631);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/21\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"Google Chrome < 107.0.5304.87/.88 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 107.0.5304.87/.88. It is, therefore,\naffected by a vulnerability as referenced in the 2022_10_stable-channel-update-for-desktop_27 advisory.\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88b3eec6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1378239\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 107.0.5304.87 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\nvar installs = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'107.0.5304.87', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:55:58", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1225c888-56ea-11ed-b5c3-3065ec8fd3ec advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-10-28T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- Type confusion in V8 (1225c888-56ea-11ed-b5c3-3065ec8fd3ec)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-06T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ungoogled-chromium", "p-cpe:/a:freebsd:freebsd:chromium"], "id": "FREEBSD_PKG_1225C88856EA11EDB5C33065EC8FD3EC.NASL", "href": "https://www.tenable.com/plugins/nessus/166701", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166701);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/06\");\n\n script_cve_id(\"CVE-2022-3723\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"FreeBSD : chromium -- Type confusion in V8 (1225c888-56ea-11ed-b5c3-3065ec8fd3ec)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 1225c888-56ea-11ed-b5c3-3065ec8fd3ec advisory.\n\n - Type Confusion in V8. (CVE-2022-3723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88b3eec6\");\n # https://vuxml.freebsd.org/freebsd/1225c888-56ea-11ed-b5c3-3065ec8fd3ec.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?129bfb6c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ungoogled-chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'chromium<107.0.5304.87',\n 'ungoogled-chromium<107.0.5304.87'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:56", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10177-1 advisory.\n\n - Type Confusion in V8. (CVE-2022-3652, CVE-2022-3723)\n\n - Heap buffer overflow in Vulkan. (CVE-2022-3653)\n\n - Use after free in Layout. (CVE-2022-3654)\n\n - Heap buffer overflow in Media Galleries. (CVE-2022-3655)\n\n - Insufficient data validation in File System. (CVE-2022-3656)\n\n - Use after free in Extensions. (CVE-2022-3657)\n\n - Use after free in Feedback service on Chrome OS. (CVE-2022-3658)\n\n - Use after free in Accessibility. (CVE-2022-3659)\n\n - Inappropriate implementation in Full screen mode. (CVE-2022-3660)\n\n - Insufficient data validation in Extensions. (CVE-2022-3661)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-01T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10177-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3652", "CVE-2022-3653", "CVE-2022-3654", "CVE-2022-3655", "CVE-2022-3656", "CVE-2022-3657", "CVE-2022-3658", "CVE-2022-3659", "CVE-2022-3660", "CVE-2022-3661", "CVE-2022-3723"], "modified": "2023-10-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromedriver", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2022-10177-1.NASL", "href": "https://www.tenable.com/plugins/nessus/166766", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10177-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166766);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/25\");\n\n script_cve_id(\n \"CVE-2022-3652\",\n \"CVE-2022-3653\",\n \"CVE-2022-3654\",\n \"CVE-2022-3655\",\n \"CVE-2022-3656\",\n \"CVE-2022-3657\",\n \"CVE-2022-3658\",\n \"CVE-2022-3659\",\n \"CVE-2022-3660\",\n \"CVE-2022-3661\",\n \"CVE-2022-3723\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10177-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2022:10177-1 advisory.\n\n - Type Confusion in V8. (CVE-2022-3652, CVE-2022-3723)\n\n - Heap buffer overflow in Vulkan. (CVE-2022-3653)\n\n - Use after free in Layout. (CVE-2022-3654)\n\n - Heap buffer overflow in Media Galleries. (CVE-2022-3655)\n\n - Insufficient data validation in File System. (CVE-2022-3656)\n\n - Use after free in Extensions. (CVE-2022-3657)\n\n - Use after free in Feedback service on Chrome OS. (CVE-2022-3658)\n\n - Use after free in Accessibility. (CVE-2022-3659)\n\n - Inappropriate implementation in Full screen mode. (CVE-2022-3660)\n\n - Insufficient data validation in Extensions. (CVE-2022-3661)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1204732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1204819\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C5ZTHS4CVKMHGRNVO5FNFQEVHUH3FEZU/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56185220\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3652\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3653\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3655\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3656\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3657\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3658\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3659\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3660\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3661\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromedriver and / or chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/SuSE/release');\nif (isnull(os_release) || os_release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar _os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:os_release);\nif (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\n_os_ver = _os_ver[1];\nif (os_release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', os_release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);\n\nvar pkgs = [\n {'reference':'chromedriver-107.0.5304.87-bp153.2.133.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromedriver-107.0.5304.87-bp153.2.133.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-107.0.5304.87-bp153.2.133.1', 'cpu':'aarch64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-107.0.5304.87-bp153.2.133.1', 'cpu':'x86_64', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var _cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromedriver / chromium');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T12:58:07", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:10180-1 advisory.\n\n - Type Confusion in V8. (CVE-2022-3652, CVE-2022-3723)\n\n - Heap buffer overflow in Vulkan. (CVE-2022-3653)\n\n - Use after free in Layout. (CVE-2022-3654)\n\n - Heap buffer overflow in Media Galleries. (CVE-2022-3655)\n\n - Insufficient data validation in File System. (CVE-2022-3656)\n\n - Use after free in Extensions. (CVE-2022-3657)\n\n - Use after free in Feedback service on Chrome OS. (CVE-2022-3658)\n\n - Use after free in Accessibility. (CVE-2022-3659)\n\n - Inappropriate implementation in Full screen mode. (CVE-2022-3660)\n\n - Insufficient data validation in Extensions. (CVE-2022-3661)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-11-01T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10180-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3652", "CVE-2022-3653", "CVE-2022-3654", "CVE-2022-3655", "CVE-2022-3656", "CVE-2022-3657", "CVE-2022-3658", "CVE-2022-3659", "CVE-2022-3660", "CVE-2022-3661", "CVE-2022-3723"], "modified": "2023-10-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromium", "cpe:/o:novell:opensuse:15.4", "p-cpe:/a:novell:opensuse:chromedriver"], "id": "OPENSUSE-2022-10180-1.NASL", "href": "https://www.tenable.com/plugins/nessus/166762", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:10180-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166762);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/25\");\n\n script_cve_id(\n \"CVE-2022-3652\",\n \"CVE-2022-3653\",\n \"CVE-2022-3654\",\n \"CVE-2022-3655\",\n \"CVE-2022-3656\",\n \"CVE-2022-3657\",\n \"CVE-2022-3658\",\n \"CVE-2022-3659\",\n \"CVE-2022-3660\",\n \"CVE-2022-3661\",\n \"CVE-2022-3723\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n script_xref(name:\"IAVA\", value:\"2022-A-0453-S\");\n\n script_name(english:\"openSUSE 15 Security Update : chromium (openSUSE-SU-2022:10180-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2022:10180-1 advisory.\n\n - Type Confusion in V8. (CVE-2022-3652, CVE-2022-3723)\n\n - Heap buffer overflow in Vulkan. (CVE-2022-3653)\n\n - Use after free in Layout. (CVE-2022-3654)\n\n - Heap buffer overflow in Media Galleries. (CVE-2022-3655)\n\n - Insufficient data validation in File System. (CVE-2022-3656)\n\n - Use after free in Extensions. (CVE-2022-3657)\n\n - Use after free in Feedback service on Chrome OS. (CVE-2022-3658)\n\n - Use after free in Accessibility. (CVE-2022-3659)\n\n - Inappropriate implementation in Full screen mode. (CVE-2022-3660)\n\n - Insufficient data validation in Extensions. (CVE-2022-3661)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1204732\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1204819\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3DL7MSB2KL4PJBOEPFHVNU2YH353TPTY/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51034ddf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3652\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3653\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3655\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3656\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3657\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3658\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3659\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3660\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3661\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3723\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromedriver and / or chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3723\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.4\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/SuSE/release');\nif (isnull(os_release) || os_release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar _os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:os_release);\nif (isnull(_os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\n_os_ver = _os_ver[1];\nif (os_release !~ \"^(SUSE15\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.4', os_release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + _os_ver, cpu);\n\nvar pkgs = [\n {'reference':'chromedriver-107.0.5304.87-bp154.2.40.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromedriver-107.0.5304.87-bp154.2.40.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-107.0.5304.87-bp154.2.40.1', 'cpu':'aarch64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'chromium-107.0.5304.87-bp154.2.40.1', 'cpu':'x86_64', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var _cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (rpm_check(release:_release, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromedriver / chromium');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T16:07:04", "description": "The remote host is affected by the vulnerability described in GLSA-202305-10 (Chromium, Google Chrome, Microsoft Edge:\nMultiple Vulnerabilities)\n\n - Use after free in Skia in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3445)\n\n - Heap buffer overflow in WebSQL in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3446)\n\n - Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 106.0.5249.119 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3447)\n\n - Use after free in Permissions API in Google Chrome prior to 106.0.5249.119 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3448)\n\n - Use after free in Safe Browsing in Google Chrome prior to 106.0.5249.119 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High) (CVE-2022-3449)\n\n - Use after free in Peer Connection in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3450)\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\n - Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (Chromium security severity: High) (CVE-2022-4135)\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)\n\n - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4175)\n\n - Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via UI interactions. (Chromium security severity: High) (CVE-2022-4176)\n\n - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI interaction. (Chromium security severity: High) (CVE-2022-4177)\n\n - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4178)\n\n - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.\n (Chromium security severity: High) (CVE-2022-4179)\n\n - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.\n (Chromium security severity: High) (CVE-2022-4180)\n\n - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)\n\n - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4182)\n\n - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4183)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4184)\n\n - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2022-4185)\n\n - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)\n\n - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2022-4187)\n\n - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4188)\n\n - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)\n\n - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4190)\n\n - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via profile destruction. (Chromium security severity: Medium) (CVE-2022-4191)\n\n - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI interaction. (Chromium security severity: Medium) (CVE-2022-4192)\n\n - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2022-4193)\n\n - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4194)\n\n - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium) (CVE-2022-4195)\n\n - Use after free in Blink Media in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4436)\n\n - Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4437)\n\n - Use after free in Blink Frames in Google Chrome prior to 108.0.5359.124 allowed a remote attacker who convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4438)\n\n - Use after free in Aura in Google Chrome on Windows prior to 108.0.5359.124 allowed a remote attacker who convinced the user to engage in specific UI interactions to potentially exploit heap corruption via specific UI interactions. (Chromium security severity: High) (CVE-2022-4439)\n\n - Use after free in Profiles in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4440)\n\n - Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability. (CVE-2022-41115)\n\n - Microsoft Edge (Chromium-based) Spoofing Vulnerability (CVE-2022-44688)\n\n - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. (CVE-2022-44708)\n\n - Use after free in Overview Mode in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2023-0128)\n\n - Heap buffer overflow in Network Service in Google Chrome prior to 109.0.5414.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page and specific interactions. (Chromium security severity: High) (CVE-2023-0129)\n\n - Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (Chromium security severity: Medium) (CVE-2023-0130)\n\n - Inappropriate implementation in in iframe Sandbox in Google Chrome prior to 109.0.5414.74 allowed a remote attacker to bypass file download restrictions via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2023-0131)\n\n - Inappropriate implementation in in Permission prompts in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to force acceptance of a permission prompt via a crafted HTML page. (Chromium security severity: Medium) (CVE-2023-0132)\n\n - Inappropriate implementation in in Permission prompts in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to bypass main origin permission delegation via a crafted HTML page. (Chromium security severity: Medium) (CVE-2023-0133)\n\n - Use after free in Cart in Google Chrome prior to 109.0.5414.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via database corruption and a crafted HTML page. (Chromium security severity: Medium) (CVE-2023-0134, CVE-2023-0135)\n\n - Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to execute incorrect security UI via a crafted HTML page. (Chromium security severity: Medium) (CVE-2023-0136)\n\n - Heap buffer overflow in Platform Apps in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) (CVE-2023-0137)\n\n - Heap buffer overflow in libphonenumber in Google Chrome prior to 109.0.5414.74 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) (CVE-2023-0138)\n\n - Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Low) (CVE-2023-0139)\n\n - Inappropriate implementation in in File System API in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Low) (CVE-2023-0140)\n\n - Insufficient policy enforcement in CORS in Google Chrome prior to 109.0.5414.74 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) (CVE-2023-0141)\n\n - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. (CVE-2023-21719)\n\n - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability (CVE-2023-21775)\n\n - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability (CVE-2023-21795, CVE-2023-21796)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-03T00:00:00", "type": "nessus", "title": "GLSA-202305-10 : Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3445", "CVE-2022-3446", "CVE-2022-3447", "CVE-2022-3448", "CVE-2022-3449", "CVE-2022-3450", "CVE-2022-3723", "CVE-2022-41115", "CVE-2022-4135", "CVE-2022-4174", "CVE-2022-4175", "CVE-2022-4176", "CVE-2022-4177", "CVE-2022-4178", "CVE-2022-4179", "CVE-2022-4180", "CVE-2022-4181", "CVE-2022-4182", "CVE-2022-4183", "CVE-2022-4184", "CVE-2022-4185", "CVE-2022-4186", "CVE-2022-4187", "CVE-2022-4188", "CVE-2022-4189", "CVE-2022-4190", "CVE-2022-4191", "CVE-2022-4192", "CVE-2022-4193", "CVE-2022-4194", "CVE-2022-4195", "CVE-2022-4436", "CVE-2022-4437", "CVE-2022-4438", "CVE-2022-4439", "CVE-2022-4440", "CVE-2022-44688", "CVE-2022-44708", "CVE-2023-0128", "CVE-2023-0129", "CVE-2023-0130", "CVE-2023-0131", "CVE-2023-0132", "CVE-2023-0133", "CVE-2023-0134", "CVE-2023-0135", "CVE-2023-0136", "CVE-2023-0137", "CVE-2023-0138", "CVE-2023-0139", "CVE-2023-0140", "CVE-2023-0141", "CVE-2023-21719", "CVE-2023-21775", "CVE-2023-21795", "CVE-2023-21796"], "modified": "2023-10-23T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chromium", "p-cpe:/a:gentoo:linux:chromium-bin", "p-cpe:/a:gentoo:linux:google-chrome", "p-cpe:/a:gentoo:linux:microsoft-edge", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202305-10.NASL", "href": "https://www.tenable.com/plugins/nessus/175034", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202305-10.\n#\n# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike\n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(175034);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/23\");\n\n script_cve_id(\n \"CVE-2022-3445\",\n \"CVE-2022-3446\",\n \"CVE-2022-3447\",\n \"CVE-2022-3448\",\n \"CVE-2022-3449\",\n \"CVE-2022-3450\",\n \"CVE-2022-3723\",\n \"CVE-2022-4135\",\n \"CVE-2022-4174\",\n \"CVE-2022-4175\",\n \"CVE-2022-4176\",\n \"CVE-2022-4177\",\n \"CVE-2022-4178\",\n \"CVE-2022-4179\",\n \"CVE-2022-4180\",\n \"CVE-2022-4181\",\n \"CVE-2022-4182\",\n \"CVE-2022-4183\",\n \"CVE-2022-4184\",\n \"CVE-2022-4185\",\n \"CVE-2022-4186\",\n \"CVE-2022-4187\",\n \"CVE-2022-4188\",\n \"CVE-2022-4189\",\n \"CVE-2022-4190\",\n \"CVE-2022-4191\",\n \"CVE-2022-4192\",\n \"CVE-2022-4193\",\n \"CVE-2022-4194\",\n \"CVE-2022-4195\",\n \"CVE-2022-4436\",\n \"CVE-2022-4437\",\n \"CVE-2022-4438\",\n \"CVE-2022-4439\",\n \"CVE-2022-4440\",\n \"CVE-2022-41115\",\n \"CVE-2022-44688\",\n \"CVE-2022-44708\",\n \"CVE-2023-0128\",\n \"CVE-2023-0129\",\n \"CVE-2023-0130\",\n \"CVE-2023-0131\",\n \"CVE-2023-0132\",\n \"CVE-2023-0133\",\n \"CVE-2023-0134\",\n \"CVE-2023-0135\",\n \"CVE-2023-0136\",\n \"CVE-2023-0137\",\n \"CVE-2023-0138\",\n \"CVE-2023-0139\",\n \"CVE-2023-0140\",\n \"CVE-2023-0141\",\n \"CVE-2023-21719\",\n \"CVE-2023-21775\",\n \"CVE-2023-21795\",\n \"CVE-2023-21796\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/12/19\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/11/18\");\n\n script_name(english:\"GLSA-202305-10 : Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-202305-10 (Chromium, Google Chrome, Microsoft Edge:\nMultiple Vulnerabilities)\n\n - Use after free in Skia in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3445)\n\n - Heap buffer overflow in WebSQL in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n (CVE-2022-3446)\n\n - Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 106.0.5249.119 allowed a\n remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security\n severity: High) (CVE-2022-3447)\n\n - Use after free in Permissions API in Google Chrome prior to 106.0.5249.119 allowed a remote attacker who\n convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted\n HTML page. (Chromium security severity: High) (CVE-2022-3448)\n\n - Use after free in Safe Browsing in Google Chrome prior to 106.0.5249.119 allowed an attacker who convinced\n a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome\n Extension. (Chromium security severity: High) (CVE-2022-3449)\n\n - Use after free in Peer Connection in Google Chrome prior to 106.0.5249.119 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n (CVE-2022-3450)\n\n - Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-3723)\n\n - Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had\n compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (Chromium security severity: High) (CVE-2022-4135)\n\n - Type confusion in V8 in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4174)\n\n - Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n (CVE-2022-4175)\n\n - Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71\n allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially\n exploit heap corruption via UI interactions. (Chromium security severity: High) (CVE-2022-4176)\n\n - Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a\n user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI\n interaction. (Chromium security severity: High) (CVE-2022-4177)\n\n - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who had\n compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium\n security severity: High) (CVE-2022-4178)\n\n - Use after free in Audio in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user\n to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.\n (Chromium security severity: High) (CVE-2022-4179)\n\n - Use after free in Mojo in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to\n install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.\n (Chromium security severity: High) (CVE-2022-4180)\n\n - Use after free in Forms in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (Chromium security severity: High) (CVE-2022-4181)\n\n - Inappropriate implementation in Fenced Frames in Google Chrome prior to 108.0.5359.71 allowed a remote\n attacker to bypass fenced frame restrictions via a crafted HTML page. (Chromium security severity: Medium)\n (CVE-2022-4182)\n\n - Insufficient policy enforcement in Popup Blocker in Google Chrome prior to 108.0.5359.71 allowed a remote\n attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)\n (CVE-2022-4183)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 108.0.5359.71 allowed a remote\n attacker to bypass autofill restrictions via a crafted HTML page. (Chromium security severity: Medium)\n (CVE-2022-4184)\n\n - Inappropriate implementation in Navigation in Google Chrome on iOS prior to 108.0.5359.71 allowed a remote\n attacker to spoof the contents of the modal dialogue via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2022-4185)\n\n - Insufficient validation of untrusted input in Downloads in Google Chrome prior to 108.0.5359.71 allowed an\n attacker who convinced a user to install a malicious extension to bypass Downloads restrictions via a\n crafted HTML page. (Chromium security severity: Medium) (CVE-2022-4186)\n\n - Insufficient policy enforcement in DevTools in Google Chrome on Windows prior to 108.0.5359.71 allowed a\n remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2022-4187)\n\n - Insufficient validation of untrusted input in CORS in Google Chrome on Android prior to 108.0.5359.71\n allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security\n severity: Medium) (CVE-2022-4188)\n\n - Insufficient policy enforcement in DevTools in Google Chrome prior to 108.0.5359.71 allowed an attacker\n who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted\n Chrome Extension. (Chromium security severity: Medium) (CVE-2022-4189)\n\n - Insufficient data validation in Directory in Google Chrome prior to 108.0.5359.71 allowed a remote\n attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Medium)\n (CVE-2022-4190)\n\n - Use after free in Sign-In in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who convinced\n a user to engage in specific UI interaction to potentially exploit heap corruption via profile\n destruction. (Chromium security severity: Medium) (CVE-2022-4191)\n\n - Use after free in Live Caption in Google Chrome prior to 108.0.5359.71 allowed a remote attacker who\n convinced a user to engage in specific UI interaction to potentially exploit heap corruption via UI\n interaction. (Chromium security severity: Medium) (CVE-2022-4192)\n\n - Insufficient policy enforcement in File System API in Google Chrome prior to 108.0.5359.71 allowed a\n remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2022-4193)\n\n - Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)\n (CVE-2022-4194)\n\n - Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote\n attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)\n (CVE-2022-4195)\n\n - Use after free in Blink Media in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n (CVE-2022-4436)\n\n - Use after free in Mojo IPC in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n (CVE-2022-4437)\n\n - Use after free in Blink Frames in Google Chrome prior to 108.0.5359.124 allowed a remote attacker who\n convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a\n crafted HTML page. (Chromium security severity: High) (CVE-2022-4438)\n\n - Use after free in Aura in Google Chrome on Windows prior to 108.0.5359.124 allowed a remote attacker who\n convinced the user to engage in specific UI interactions to potentially exploit heap corruption via\n specific UI interactions. (Chromium security severity: High) (CVE-2022-4439)\n\n - Use after free in Profiles in Google Chrome prior to 108.0.5359.124 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)\n (CVE-2022-4440)\n\n - Microsoft Edge (Chromium-based) Update Elevation of Privilege Vulnerability. (CVE-2022-41115)\n\n - Microsoft Edge (Chromium-based) Spoofing Vulnerability (CVE-2022-44688)\n\n - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. (CVE-2022-44708)\n\n - Use after free in Overview Mode in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed a remote\n attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption\n via a crafted HTML page. (Chromium security severity: High) (CVE-2023-0128)\n\n - Heap buffer overflow in Network Service in Google Chrome prior to 109.0.5414.74 allowed an attacker who\n convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted\n HTML page and specific interactions. (Chromium security severity: High) (CVE-2023-0129)\n\n - Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74\n allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (Chromium security severity: Medium) (CVE-2023-0130)\n\n - Inappropriate implementation in in iframe Sandbox in Google Chrome prior to 109.0.5414.74 allowed a remote\n attacker to bypass file download restrictions via a crafted HTML page. (Chromium security severity:\n Medium) (CVE-2023-0131)\n\n - Inappropriate implementation in in Permission prompts in Google Chrome on Windows prior to 109.0.5414.74\n allowed a remote attacker to force acceptance of a permission prompt via a crafted HTML page. (Chromium\n security severity: Medium) (CVE-2023-0132)\n\n - Inappropriate implementation in in Permission prompts in Google Chrome on Android prior to 109.0.5414.74\n allowed a remote attacker to bypass main origin permission delegation via a crafted HTML page. (Chromium\n security severity: Medium) (CVE-2023-0133)\n\n - Use after free in Cart in Google Chrome prior to 109.0.5414.74 allowed an attacker who convinced a user to\n install a malicious extension to potentially exploit heap corruption via database corruption and a crafted\n HTML page. (Chromium security severity: Medium) (CVE-2023-0134, CVE-2023-0135)\n\n - Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74\n allowed a remote attacker to execute incorrect security UI via a crafted HTML page. (Chromium security\n severity: Medium) (CVE-2023-0136)\n\n - Heap buffer overflow in Platform Apps in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed an\n attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via\n a crafted HTML page. (Chromium security severity: Medium) (CVE-2023-0137)\n\n - Heap buffer overflow in libphonenumber in Google Chrome prior to 109.0.5414.74 allowed a remote attacker\n to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)\n (CVE-2023-0138)\n\n - Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 109.0.5414.74\n allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security\n severity: Low) (CVE-2023-0139)\n\n - Inappropriate implementation in in File System API in Google Chrome on Windows prior to 109.0.5414.74\n allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security\n severity: Low) (CVE-2023-0140)\n\n - Insufficient policy enforcement in CORS in Google Chrome prior to 109.0.5414.74 allowed a remote attacker\n to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) (CVE-2023-0141)\n\n - Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability. (CVE-2023-21719)\n\n - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability (CVE-2023-21775)\n\n - Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability (CVE-2023-21795, CVE-2023-21796)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/202305-10\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=876855\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=878825\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=883031\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=883697\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=885851\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=886479\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=890726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=890728\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=891501\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.gentoo.org/show_bug.cgi?id=891503\");\n script_set_attribute(attribute:\"solution\", value:\n\"All Chromium users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=www-client/chromium-109.0.5414.74-r1\n \nAll Chromium binary users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=www-client/chromium-bin-109.0.5414.74\n \nAll Google Chrome users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=www-client/google-chrome-109.0.5414.74\n \nAll Microsoft Edge users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose >=www-client/microsoft-edge-109.0.1518.61\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-0138\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-4135\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:google-chrome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:microsoft-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\ninclude('qpkg.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/Gentoo/release')) audit(AUDIT_OS_NOT, 'Gentoo');\nif (!get_kb_item('Host/Gentoo/qpkg-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar flag = 0;\n\nvar packages = [\n {\n 'name' : 'www-client/chromium',\n 'unaffected' : make_list(\"ge 109.0.5414.74-r1\"),\n 'vulnerable' : make_list(\"lt 109.0.5414.74-r1\")\n },\n {\n 'name' : 'www-client/chromium-bin',\n 'unaffected' : make_list(\"ge 109.0.5414.74\"),\n 'vulnerable' : make_list(\"lt 109.0.5414.74\")\n },\n {\n 'name' : 'www-client/google-chrome',\n 'unaffected' : make_list(\"ge 109.0.5414.74\"),\n 'vulnerable' : make_list(\"lt 109.0.5414.74\")\n },\n {\n 'name' : 'www-client/microsoft-edge',\n 'unaffected' : make_list(\"ge 109.0.1518.61\"),\n 'vulnerable' : make_list(\"lt 109.0.1518.61\")\n }\n];\n\nforeach var package( packages ) {\n if (isnull(package['unaffected'])) package['unaffected'] = make_list();\n if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();\n if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;\n}\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : qpkg_report_get()\n );\n exit(0);\n}\nelse\n{\n qpkg_tests = list_uniq(qpkg_tests);\n var tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Chromium / Google Chrome / Microsoft Edge');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2023-12-03T16:07:25", "description": "Google Chromium V8 contains a type confusion vulnerability. Specific impacts from exploitation are not available at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-28T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T00:00:00", "id": "CISA-KEV-CVE-2022-3723", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-12-03T21:49:57", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2022>) for more information.\n\nGoogle is aware of reports that an exploit for CVE-2022-3723 exists in the wild.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-31T19:31:11", "type": "mscve", "title": "Chromium: CVE-2022-3723 Type Confusion in V8", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-31T19:31:11", "id": "MS:CVE-2022-3723", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-12-03T13:30:01", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage. (Chromium security severity: High)\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T00:00:00", "type": "ubuntucve", "title": "CVE-2022-3723", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-11-01T00:00:00", "id": "UB:CVE-2022-3723", "href": "https://ubuntu.com/security/CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-12-03T16:58:17", "description": "### *Detect date*:\n10/31/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nType confusion vulnerability was found in Microsoft Browser. Malicious users can exploit this vulnerability to cause denial of service.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the Settings and more menu, that are listed in your About Microsoft Edge page (Microsoft Edge About page usually can be accessed from the Help and feedback option) \n[Microsoft Edge update settings](<https://support.microsoft.com/en-us/topic/microsoft-edge-update-settings-af8aaca2-1b69-4870-94fe-18822dbb7ef1>)\n\n### *Original advisories*:\n[CVE-2022-3723](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3723>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *CVE-IDS*:\n[CVE-2022-3723](<https://vulners.com/cve/CVE-2022-3723>)5.0Warning\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-31T00:00:00", "type": "kaspersky", "title": "KLA20035 DoS vulnerability in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-29T00:00:00", "id": "KLA20035", "href": "https://threats.kaspersky.com/en/vulnerability/KLA20035/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T16:58:22", "description": "### *Detect date*:\n10/27/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nType confusion vulnerability was found in Google Chrome. Malicious users can exploit this vulnerability to cause denial of service.\n\n### *Affected products*:\nGoogle Chrome earlier than 107.0.5304.88\n\n### *Solution*:\nUpdate to the latest version \n[Download Google Chrome](<https://www.google.com/chrome/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2022-3723](<https://vulners.com/cve/CVE-2022-3723>)5.0Warning", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-27T00:00:00", "type": "kaspersky", "title": "KLA20018 DoS vulnerability in Google Chrome", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-29T00:00:00", "id": "KLA20018", "href": "https://threats.kaspersky.com/en/vulnerability/KLA20018/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T16:56:54", "description": "### *Detect date*:\n10/28/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nType confusion vulnerability was found in Opera. Malicious users can exploit this vulnerability to cause denial of service.\n\n### *Affected products*:\nOpera earlier than 92.0.4561.33\n\n### *Solution*:\nUpdate to the latest version \n[Download Opera](<https://www.opera.com>)\n\n### *Original advisories*:\n[Opera 92.0.4561.33 Stable update](<https://blogs.opera.com/desktop/2022/10/opera-92-0-4561-33-stable-update>) \n\n\n### *Impacts*:\nDoS \n\n### *Related products*:\n[Opera](<https://threats.kaspersky.com/en/product/Opera/>)\n\n### *CVE-IDS*:\n[CVE-2022-3723](<https://vulners.com/cve/CVE-2022-3723>)5.0Warning", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-28T00:00:00", "type": "kaspersky", "title": "KLA20196 DoS vulnerability in Opera", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-09-29T00:00:00", "id": "KLA20196", "href": "https://threats.kaspersky.com/en/vulnerability/KLA20196/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2022-11-02T20:29:42", "description": "Google has [announced](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html>) an update for Chrome that fixes an in-the-wild exploit. Chrome Stable channel has been updated to 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/.88 for Windows.\n\nThe vulnerability at hand is described as a type confusion issue in the V8 Javascript engine.\n\n## Mitigation\n\nIf you're a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Most of the time, the easiest way to update Chrome is to do nothing--it should update itself automatically, using the same method as outlined below but without your involvement. However, if something goes wrong--such as an extension blocking the update--or if you never close your browser, you can end up lagging behind on your updates.\n\nSo, it doesn't hurt to check now and again. And now would be a good time, given the severity of the vulnerabilities in this batch.\n\nMy preferred method is to have Chrome open the page [chrome://settings/help](<>), which you can also find by clicking **Settings > About Chrome**.\n\nUpdating Chrome\n\nIf there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.\n\nChrome is up to date\n\nAfter the update the version should be 107.0.5304.87 or later.\n\n## CVE-2022-3723\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\nThis is the one that urged the out of bounds update was [CVE-2022-3723](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3723>), a type confusion issue with Chrome's V8 JavaScript engine. A remote attacker could exploit this vulnerability to trigger data manipulation on the targeted system.\n\nType confusion is possible when a piece of code doesn't verify the type of object that is passed to it. The program allocates or initializes an object using one type, but it later accesses it using a type that is incompatible with the original. Details about the vulnerability will not be released before everyone has had a chance to update, but it seems that in this case the manipulation with an unknown input can lead to privilege escalation.\n\nThe V8 engine is a very important component within Chrome that's used to process JavaScript commands. A [very similar vulnerability](<https://www.malwarebytes.com/blog/news/2022/03/update-now-google-releases-emergency-patch-for-chrome-zero-day-used-in-the-wild>) was found in March of 2022. This was also a type confusion issue in the V8 engine, which turned out to affect other Chromium based browsers as well. So keep an eye out for updates on any other Chromium based browser you may be using, such as Edge.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-28T21:45:00", "type": "malwarebytes", "title": "A Chrome fix for an in-the-wild exploit is out\u2014Check your version", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-28T21:45:00", "id": "MALWAREBYTES:CBCD880E5209A5267DCBEB5FB041C435", "href": "https://www.malwarebytes.com/blog/news/2022/10/update-chrome-now-and-fix-a-vulnerability-with-an-existing-exploit-for-it", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-10-25T18:06:26", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T00:00:00", "type": "attackerkb", "title": "CVE-2022-3723", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-10-08T00:00:00", "id": "AKB:64665D95-5095-4796-9404-96BAEED41106", "href": "https://attackerkb.com/topics/4dXwXSTpmo/cve-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-20T23:46:26", "description": "Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T23:15:00", "type": "prion", "title": "Type confusion", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-05-03T12:16:00", "id": "PRION:CVE-2022-3723", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-3723", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "chrome": [{"lastseen": "2023-12-03T20:12:26", "description": "The Stable channel has been updated to 107.0.5304.87 for Mac and Linux and 107.0.5304.87/.88 for Windows, which will roll out over the coming days/weeks. A full list of changes in this build is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/107.0.5304.62..107.0.5304.87?pretty=fuller&n=10000>). \n\n\n\n\n Security Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [1](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-1-M107>) security fix. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\n\n\n[$TBD][[1378239](<https://crbug.com/1378239>)] High CVE-2022-3723: Type Confusion in V8. Reported by Jan Vojt\u011b\u0161ek, Mil\u00e1nek, and Przemek Gmerek of Avast on 2022-10-25\n\n\n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. \n\n\n\nGoogle is aware of reports that an exploit for CVE-2022-3723 exists in the wild.\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\nInterested in switching release channels? Find out how [here](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://support.google.com/chrome/community>) is also a great place to reach out for help or learn about common issues.\n\n\n\n\n\n\n\nPrudhvikumar Bommana \n\n\nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-27T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-27T00:00:00", "id": "GCSA-272405271979539515", "href": "https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2023-12-04T10:00:24", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5263-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nOctober 29, 2022 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2022-3723\n\nA security issue was discovered in Chromium, which could result in the\nexecution of arbitrary code.\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 107.0.5304.87-1~deb11u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-29T20:36:13", "type": "debian", "title": "[SECURITY] [DSA 5263-1] chromium security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-29T20:36:13", "id": "DEBIAN:DSA-5263-1:A8269", "href": "https://lists.debian.org/debian-security-announce/2022/msg00233.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-11-02T20:48:16", "description": "Threat Level Vulnerability Report For a detailed threat advisory, download the pdf file here Summary A zero-day vulnerability has been discovered in Google Chrome versions prior to 107.0.5304.87. A type of confusion vulnerability tracked as CVE-2022-3723 is the seventh zero day of 2022 and is said to be exploited in the wild.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-01T05:21:34", "type": "hivepro", "title": "Google Chrome\u2019s seventh zero-day of 2022", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3723"], "modified": "2022-11-01T05:21:34", "id": "HIVEPRO:1803306DD93E61E87A6FDA05BE06FDF8", "href": "https://www.hivepro.com/google-chromes-seventh-zero-day-of-2022/", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2023-11-16T20:08:54", "description": "chromium is vulnerable to type confusion. The vulnerability exists in V8 in Google Chrome which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-16T15:53:26", "type": "veracode", "title": "Type Confusion", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2023-05-03T14:35:19", "id": "VERACODE:38026", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-38026/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2023-12-03T16:50:38", "description": "\n\nChrome Releases reports:\n\nThis release contains 1 security fix:\n\n[1378239] High CVE-2022-3723: Type Confusion in V8. Reported by Jan Vojte\u0161ek, Mil\u00e1nek, and Przemek Gmerek of Avast on 2022-10-25\n\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-27T00:00:00", "type": "freebsd", "title": "chromium -- Type confusion in V8", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3723"], "modified": "2022-10-27T00:00:00", "id": "1225C888-56EA-11ED-B5C3-3065EC8FD3EC", "href": "https://vuxml.freebsd.org/freebsd/1225c888-56ea-11ed-b5c3-3065ec8fd3ec.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-11-30T17:31:04", "description": "In this post, I'll explain how to exploit CVE-2023-3420, a type confusion vulnerability in [v8](<https://v8.dev/>) (the Javascript engine of [Chrome](<https://www.google.com/chrome/>)), that I reported in June 2023 as [bug 1452137](<https://bugs.chromium.org/p/chromium/issues/detail?id=1452137>). The bug was fixed in version [114.0.5735.198/199](<https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html>). It allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.\n\nVulnerabilities like this are often the starting point for a \u201cone-click\u201d exploit, which compromise the victim\u2019s device when they visit a malicious website. A renderer RCE in Chrome allows an attacker to compromise and execute arbitrary code in the Chrome renderer process. The renderer process has limited privilege though, so the attacker then needs to chain such a vulnerability with a second \u201csandbox escape\u201d vulnerability: either another vulnerability in the Chrome browser process, or a vulnerability in the operating system to compromise either Chrome itself or the device. For example, a chain consisting of a renderer RCE (CVE-2022-3723), a Chrome sandbox escape (CVE-2022-4135), and a kernel bug (CVE-2022-38181) was discovered to be exploited in-the-wild in [\u201cSpyware vendors use 0-days and n-days against popular platforms\u201d](<https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/>) by Clement Lecigne of the Google Threat Analysis Group.\n\nWhile many of the most powerful and sophisticated \u201cone-click\u201d attacks are highly targeted and average users may be more at risk from less sophisticated attacks such as phishing, users should still keep Chrome up-to-date and enable automatic updates, as vulnerabilities in v8 can often be exploited relatively quickly by analyzing patches once these are released.\n\nThe current vulnerability exists in the JIT compiler in Chrome, which optimizes Javascript functions based on previous knowledge of the input types (for example, number types, array types, etc.). This is called speculative optimization and care must be taken to make sure that these assumptions on the inputs are still valid when the optimized code is used. The complexity of the JIT engine has led to many security issues in the past and has been a popular target for attackers. The phrack article, ["Exploiting Logic Bugs in JavaScript JIT Engines"](<http://www.phrack.org/issues/70/9.html#article>) by Samuel Gro\u00df is a very good introduction to the topic.\n\n## The JIT compiler in Chrome[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#the-jit-compiler-in-chrome>)\n\nThe JIT compiler in Chrome\u2019s v8 Javascript engine is called [TurboFan](<https://v8.dev/docs/turbofan>). Javascript functions in Chrome are optimized according to how often they are used. When a Javascript function is first run, bytecode is generated by the interpreter. As the function is called repeatedly with different inputs, feedback about these inputs, such as their types (for example, are they integers, or objects, etc.), is collected. After the function is run enough times, TurboFan uses this feedback to compile optimized code for the function, where assumptions are made based on the feedback to optimize the bytecode. After this, the compiled optimized code is used to execute the function. If these assumptions become incorrect after the function is optimized (for example, new input is used with a type that is different to the feedback), then the function will be deoptimized, and the slower bytecode is used again. Readers can consult, for example, \u201c[An Introduction to Speculative Optimization in V8](<https://ponyfoo.com/articles/an-introduction-to-speculative-optimization-in-v8>)\u201d by Benedikt Meurer for more details of how the compilation process works.\n\nTurboFan itself is a well-studied subject and there is a vast amount of literature out there documenting its inner workings, so I'll only go through the background that is needed for this article. The article, \u201c[Introduction to TurboFan](<https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/>)\u201d by Jeremy Fetiveau is a great write-up that covers the basics of TurboFan and will be very useful for understanding the context in this post, although I\u2019ll also cover the necessary material. The phrack article, ["Exploiting Logic Bugs in JavaScript JIT Engines"](<http://www.phrack.org/issues/70/9.html#article>) by Samuel Gro\u00df also covers many aspects of TurboFan and V8 object layouts that are relevant.\n\n## Nodes and side effects[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#nodes-and-side-effects>)\n\nWhen compiling optimized JIT code, TurboFan first visits each bytecode instruction in the function, and then transforms each of these instructions into a collection of nodes (a process known as reduction), which results in a representation called a ["Sea of Nodes](<https://darksi.de/d.sea-of-nodes/>).\u201d The nodes are related to each other via dependencies, which are represented as edges in [Turbolizer](<https://chromium.googlesource.com/v8/v8/+/refs/heads/main/tools/turbolizer/>), a tool that is commonly used to visualize the sea of nodes. There are three types of edges: the control edges represent the control flow graph, value edges represent the dataflow graph, and the effect edges, which order nodes according to how they access the state of objects.\n\nFor example, in the following:\n \n \n x.a = 0x41;\n var y = x.a;\n \n\nThe operation `y = x.a` has an effect dependency on `x.a = 0x41` and must be performed after `x.a = 0x41` because `x.a = 0x41` changes the state of `x`, which is used in `y = x.a`. Effect edges are important for eliminating checks in the optimized code.\n\nIn Chrome, the memory layout, in particular, the offsets of the fields in an object, is specified by its `Map`, which can be thought of as the type information of the object, and knowledge of `Map` from feedback is often used by TurboFan to optimize code. (Readers can consult, for example, ["JavaScript engine fundamentals: Shapes and Inline Caches"](<https://mathiasbynens.be/notes/shapes-ics#object-model>) by Mathias Bynens for more details. For the purpose of this post, however, it is sufficient to know that `Map` determines the field offsets of an object.)\n\nLet\u2019s look a bit closer at how dependency checks are inserted, using this function as the running example:\n \n \n function foo(obj) {\n var y = obj.x;\n obj.x = 1;\n return y;\n }\n \n\nWhen accessing the field `x` of `obj`, TurboFan uses previous inputs of the parameter `obj` to speculate the memory layout (determined by the `Map` of `obj`) and emits optimized code to access `x`. Of course, `obj` with a different `Map` may be used when calling `foo` after it is optimized, and so a `CheckMaps` node is created in the function to make sure that `obj` has the correct memory layout before the field `x` is accessed by the optimized code. This can be seen in the graph generated from Turbolizer:\n\n\n\nLikewise, when storing to `x` in the line `obj.x = 1`, the optimized code assumes `obj` has the correct map. However, because the map of `obj` is checked prior to `var y = obj.x` and there is nothing between these two lines that can change `obj`, there is no need to recheck the map. Indeed, TurboFan does not generate an extra `CheckMaps` prior to the `StoreField` node used in `obj.x = 1`:\n\n\n\nHowever, nodes can sometimes have side effects, where it may change an object indirectly. For example, a node that invokes a call to a user defined Javascript function can potentially change any object:\n \n \n function foo(obj) {\n var y = obj.x;\n callback();\n obj.x = 1;\n return y;\n }\n \n\nWhen a function call is inserted between the accesses to `x`, the map of `obj` may change after `callback` is called and so a `CheckMaps` is needed prior to the store access `obj.x = 1`:\n\n\n\nIn TurboFan, side effects of a node are indicated by node properties. In particular, the `[kNoWrite](<https://source.chromium.org/chromium/chromium/src/+/32a1bb477f7e506c52989a5dd5433567b2d1094e:v8/src/compiler/operator.h;l=45;bpv=0;bpt=0>)` property indicates that the node has no side effect:\n \n \n class V8_EXPORT_PRIVATE Operator : public NON_EXPORTED_BASE(ZoneObject) {\n public:\n ...\n enum Property {\n ...\n kNoWrite = 1 << 4, // Does not modify any Effects and thereby\n // create new scheduling dependencies.\n ...\n };\n \n\nIn the above, the call to `callback` creates a `Call` node which has the `[kNoProperties](<https://source.chromium.org/chromium/chromium/src/+/32a1bb477f7e506c52989a5dd5433567b2d1094e:v8/src/compiler/js-operator.cc;l=885;bpv=0;bpt=0>)` property, which indicates that it can have side effects (instead of `[kNoWrite](<https://source.chromium.org/chromium/chromium/src/+/32a1bb477f7e506c52989a5dd5433567b2d1094e:v8/src/compiler/operator.h;l=45;bpv=0;bpt=0>)`, which indicates no side effects).\n\n## Compilation dependencies[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#compilation-dependencies>)\n\nAssumptions that are made in the optimized code compiled by TurboFan can also become invalid at a later time. In the following example, the function `foo` has only seen the input `a`, which has a field `x` that is constant (that is, the field has not been reassigned):\n \n \n var a = {x : 1};\n \n function foo(obj) {\n var y = obj.x;\n return y;\n }\n %PrepareFunctionForOptimization(foo);\n foo(a);\n %OptimizeFunctionOnNextCall(foo);\n foo(a);\n \n\nWhen TurboFan compiles the function `foo`, it assumes that the field `x` of `obj` is the constant 1 and simply replaces `obj.x` with 1. However, this assumption can change in a later time. For example, if I reassign the field `x` in `obj` after compilation, then the compiled code would become invalid:\n \n \n var a = {x : 1};\n \n function foo(obj) {\n var y = obj.x;\n return y;\n }\n %PrepareFunctionForOptimization(foo);\n foo(a);\n %OptimizeFunctionOnNextCall(foo);\n foo(a);\n //Invalidates the optimized code\n a.x = 2;\n \n\nThe `trace-deopt` flag in the standalone `d8` binary can be used to check that the code does indeed becomes invalid:\n \n \n $./d8 --allow-natives-syntax --trace-turbo --trace-deopt foo.js\n Concurrent recompilation has been disabled for tracing.\n ---------------------------------------------------\n Begin compiling method foo using TurboFan\n ---------------------------------------------------\n Finished compiling method foo using TurboFan\n [marking dependent code 0x1a69002021a5 (0x1a690019b9e9 ) (opt id 0) for deoptimization, reason: code dependencies]\n \n\nNote the last console output, which marks the function `foo` for deoptimization, meaning that the optimized code of `foo` has been invalidated. When `foo` is run after the line `a.x = 2`, the unoptimized code will be used instead. Deoptimization that happens when other code invalidates the optimized function is called \"lazy deoptimization\" as it only has effect when the function is run next time. Note also that the `reason` for the deoptimization in the last line is `code dependencies`. Code dependencies is a mechanism employed by TurboFan to make sure that optimized code becomes invalid if its assumptions are changed after the code is compiled.\n\nUnder the hood, code dependencies are implemented via the [`CompilationDependency`](<https://source.chromium.org/chromium/chromium/src/+/c9a49f59f2a9f90828978d1e93ee325d08daeb2c:v8/src/compiler/compilation-dependencies.cc;l=72;bpv=0;bpt=0>) class. Its subclasses are responsible for making sure that the optimized code is invalidated when the respective assumption becomes invalid. In the above example, the [`FieldConstnessDependency`](<https://source.chromium.org/chromium/chromium/src/+/c9a49f59f2a9f90828978d1e93ee325d08daeb2c:v8/src/compiler/compilation-dependencies.cc;l=766;bpv=0;bpt=0>) is responsible for invalidating the optimized code when the constant field, `x`, in `obj` is reassigned.\n\nThe `CompilationDependency` class has three virtual methods, `IsValid`, `PrepareInstall,` and `Install` that are called at the end of the compilation. The `IsValid` method checks that the assumption is still valid at the end of the compilation, while `Install` establishes a mechanism to invalidate the code when the assumption changes.\n\n## Concurrent compilation[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#concurrent-compilation>)\n\nConcurrent compilation is a feature that was [enabled in version 95](<https://chromium.googlesource.com/chromium/src/+/aa37dd99aadf89aa363a96b3c23cecbbeeabfe31>) of Chrome. This feature enables TurboFan to compile optimized code in a background thread while the main thread is running other Javascript code. This, however, also gives rise to the possibility of race conditions between compilation and Javascript code executions. On the one hand, Javascript executed in the main thread may invalidate assumptions made during compilation after these assumptions are checked. While many of such issues are prevented by compilation dependencies, this type of race has still resulted in some security issues in the past. (For example, [issue 1369871](<https://bugs.chromium.org/p/chromium/issues/detail?id=1369871>) issue and [issue 1211215](<https://blog.exodusintel.com/2023/05/16/google-chrome-v8-arrayshift-race-condition-remote-code-execution/>).)\n\nOn the other hand, if compilation makes changes to Javascript objects, it may also cause inconsistency in the Javascript code that is running in the main thread. This is a rather unusual situation, as compilation rarely makes changes to Javascript objects. However, the `[PrepareInstall](<https://source.chromium.org/chromium/chromium/src/+/c9a49f59f2a9f90828978d1e93ee325d08daeb2c:v8/src/compiler/compilation-dependencies.cc;l=245;bpv=0;bpt=0>)` method of the `CompilationDependency`, `PrototypePropertyDependency` calls the `[EnsureHasInitialMap](<https://source.chromium.org/chromium/chromium/src/+/c9a49f59f2a9f90828978d1e93ee325d08daeb2c:v8/src/compiler/compilation-dependencies.cc;l=248;bpv=0;bpt=0>)` method, which does make changes to `function`, which is a Javascript `Function` object.\n \n \n void PrepareInstall(JSHeapBroker* broker) const override {\n SLOW_DCHECK(IsValid(broker));\n Handle function = function_.object();\n if (!function->has_initial_map()) JSFunction::EnsureHasInitialMap(function);\n }\n ...\n }\n \n\nAmongst other things, `EnsureHasInitialMap` calls `[Map::SetPrototype](<https://source.chromium.org/chromium/chromium/src/+/0cd12c35f217ed6982b34fcb29dc15d14a6e57eb:v8/src/objects/js-function.cc;l=762>)` on the `prototype` field of `function`. Calling `Map::SetPrototype` on an object can cause its layout to be optimized via the `[OptimizeAsPrototype](<https://source.chromium.org/chromium/chromium/src/+/2bc99709b2731b74aeb95154df133b2499f4211d:v8/src/objects/map.cc;l=2317;bpv=0;bpt=0>)` call. In particular, if an object is a \"fast\" object that stores its fields as an array, `OptimizeAsPrototype` will change it into a \"dictionary\" object that stores its fields in a dictionary. (See, for example, Section 3.2 in [\"Exploiting Logic Bugs in JavaScript JIT Engines](<http://www.phrack.org/issues/70/9.html#article>),\u201d setting an object as the `__proto__` field has the same effect as calling `Map::SetPrototype` on it.)\n\nAs explained before, `PrepareInstall` is called at the end of the compilation phase, so initially, I thought this may be exploited as a race condition to create a primitive similar to CVE-2018-17463 detailed in \"Exploiting Logic Bugs in JavaScript JIT Engines.\u201d After some debugging, I discovered that the `PrepareInstall` method is actually executed on the main thread and so this is not really a race condition.\n\n## Interrupt handling in V8[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#interrupt-handling-in-v8>)\n\nAlthough the `PrepareInstall` method is executed in the main thread, what is interesting is how the main thread switches between different tasks. In particular: how does the background thread notify the main thread to install the compilation dependency after the optimized code is compiled, and when can the main thread switch between normal Javascript execution and handling of tasks requested by other threads? It turns out that this is done via the `[StackGuard::HandleInterrupts](<https://source.chromium.org/chromium/chromium/src/+/10e4809ce95862289c62ea30a18ab32bb77ea5c8:v8/src/execution/stack-guard.cc;l=267>)` method. In particular, when the compilation is finished in the background, an `INSTALL_CODE` task is put on a queue, which is then handled in `[HandleInterrupts](<https://source.chromium.org/chromium/chromium/src/+/10e4809ce95862289c62ea30a18ab32bb77ea5c8:v8/src/execution/stack-guard.cc;l=328>)` in the main thread.\n\nWhile the main thread is executing Javascript code, it checks for these interrupts at particular places by calling `StackGuard::HandleInterrupts`. This only happens at a limited number of places, for example, at the entry point of a Javascript function.\n\nWhile looking for callers of `StackGuard::HandleInterrupts`, I discovered that the `StackCheck` node, which has the `[kNoWrite property](<https://source.chromium.org/chromium/chromium/src/+/ba1b4d2b303094d63f500878f3670f2235f988c7:v8/src/compiler/js-operator.cc;l=1406>)`, can in fact call `StackGuard::HandleInterrupts. `The optimized code for the `StackCheck` can make a call to the `[Runtime::kStackGuard function](<https://source.chromium.org/chromium/chromium/src/+/ba1b4d2b303094d63f500878f3670f2235f988c7:v8/src/compiler/js-generic-lowering.cc;l=1197>)`:\n \n \n void JSGenericLowering::LowerJSStackCheck(Node* node) {\n Node* effect = NodeProperties::GetEffectInput(node);\n Node* control = NodeProperties::GetControlInput(node);\n ...\n if (stack_check_kind == StackCheckKind::kJSFunctionEntry) {\n node->InsertInput(zone(), 0,\n graph()->NewNode(machine()->LoadStackCheckOffset()));\n ReplaceWithRuntimeCall(node, Runtime::kStackGuardWithGap);\n } else {\n ReplaceWithRuntimeCall(node, Runtime::kStackGuard);\n }\n }\n \n\nwhich in turn calls HandleInterrupts:\n \n \n RUNTIME_FUNCTION(Runtime_StackGuard) {\n ...\n return isolate->stack_guard()->HandleInterrupts(\n StackGuard::InterruptLevel::kAnyEffect);\n }\n \n\nAs mentioned previously, `kNoWrite` is used to indicate that a node does not make changes to Javascript objects; however, because `StackCheck` can call `HandleInterrupts`, which could cause the `prototype` field object of a function to change from a fast object to a dictionary object, this `kNoWrite` property is incorrect and the `StackCheck` node can be used to change an object and bypass security checks in a way that is similar to [CVE-2018-17463](<http://www.phrack.org/issues/70/9.html#article>). The problem now is to figure out how to insert a `StackCheck` node in the TurboFan graph.\n\nIt turns out that the `[JumpLoop](<https://source.chromium.org/chromium/chromium/src/+/e72d83c70a3fc4e65fbf66dcb455c288e08b42cd:v8/src/compiler/bytecode-graph-builder.cc;l=3548>)` opcode that is inserted at the end of a loop iteration can be used to insert a `StackCheck` node:\n \n \n void BytecodeGraphBuilder::VisitJumpLoop() {\n BuildIterationBodyStackCheck();\n BuildJump();\n }\n \n\nIn the above, `BuildIterationBodyStackCheck` introduces a `StackCheck` node in the graph:\n \n \n void BytecodeGraphBuilder::BuildIterationBodyStackCheck() {\n Node* node =\n NewNode(javascript()->StackCheck(StackCheckKind::kJSIterationBody));\n environment()->RecordAfterState(node, Environment::kAttachFrameState);\n }\n \n\nThe idea is that, if a function is running a loop for a potentially long time, then it should check for interrupts after a number of iterations are run, in case it is blocking other operations. This means that, by creating a loop that runs for a large number of iterations, I can cause an optimized function to handle interrupts and potentially call `EnsureHasInitialMap` to change the layout of a Javascript object. So, to exploit the bug, I need to create two functions with the following properties:\n\n 1. A function `bar` that has the `PrototypePropertyDependency` when optimized, so that when `HandleInterrupts` is called, `EnsureHasInitialMap` is called and the `prototype` field of another function `B` (for the purpose of the exploit, I use a class constructor) will change from being a fast object to a dictionary object.\n 2. A function `foo` with a loop that accesses fields in the `prototype` field of the class constructor `B` both before and after the loop. The optimized code of `foo` that accesses `B.prototype` before the loop will insert a `CheckMaps` node to make sure the `Map` of `B.prototype` is correct. As the loop introduces a `StackCheck` node, it may call `HandleInterrupts`, which will change the `Map` of `B.prototype`. However, because `StackCheck` is marked with `kNoWrite`, a `CheckMaps` will not be inserted again prior to accessing properties of `B.prototype` after the loop. This results in optimized code accessing fields in `B.prototype` with incorrect offsets.\n 3. Optimize `foo` and wait until concurrent compilation is finished to make sure that `foo` is executed with optimized code from now on.\n 4. Run `bar` enough times to trigger concurrent compilation, and then run `foo` immediately. As long as the loop in `foo` is running long enough, the compilation of `bar` will finish while the loop is running and the compiler thread will queue an `INSTALL_CODE` task. The loop in `foo` will then handle this interrupt, which will call `EnsureHasInitialMap` for `B` to change `B.prototype` into a dictionary object. After the loop is finished, subsequent accesses to fields of `B.prototype` will be done using the wrong `Map` (by assuming that `B.prototype` is still a fast object).\n\nThis can then be exploited by causing an out-of-bounds (OOB) access in a Javascript object.\n\n## Exploiting the bug[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#exploiting-the-bug>)\n\nThe function `bar` can be created by looking for nodes that introduce a `PrototypePropertyDependency`, for example, the `[JSOrdinaryHasInstance](<https://source.chromium.org/chromium/chromium/src/+/e72d83c70a3fc4e65fbf66dcb455c288e08b42cd:v8/src/compiler/js-native-context-specialization.cc;l=960;bpv=0;bpt=0>)` node that is introduced when using `instanceof` in Javascript. So, for example, the following function:\n \n \n function bar(x) {\n return x instanceof B;\n }\n \n\nwill have a `PrototypePropertyDependency` that changes `B.prototype` to a dictionary object when `bar` is installed.\n\nThe function `foo` can be constructed as follows:\n \n \n function foo(obj, proto, x,y) {\n //Introduce `CheckMaps` for `proto`\n obj.obj = proto;\n var z = 0;\n //Loop for handling interrupt\n for (let i = 0; i < 1; i++) {\n for (let j = 0; j < x; j++) {\n for (let k = 0; k < x; k++) {\n z = y[k];\n }\n }\n }\n //Access after map changed\n proto.b = 33;\n return z;\n }\n \n\nWhen setting `proto` to an object field that has a fixed map, a `[CheckMaps node is introduced](<https://source.chromium.org/chromium/chromium/src/+/070c9a9758adf6ebca735bf73078ec48a254944e:v8/src/compiler/js-native-context-specialization.cc;l=3020>)` to make sure that `proto` has the correct map, so by passing a constant `obj` to `foo` of the following form:\n \n \n var obj = {obj: B.prototype};\n \n\nI can introduce the `CheckMaps` node for `B.prototype` that I need in `foo`. After running the loop that handles the interrupt from `bar`, the field write `proto.b = 33` will be writing to `proto` based on its fast map while it has already been changed into a dictionary map.\n\nTo exploit this, we need to understand the differences in fast objects and dictionary objects. The section \"FixedArray and NumberDictionary Memory Layout'' in [\"Patch-gapping Google Chrome''](<https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/>) gives good details about this.\n\nA fast object either stores fields within the object itself\u2014(in-object properties) or in a `PropertyArray` when space runs out for in-object properties. In our case, `B.prototype` does not have any in-object properties and uses a `PropertyArray` to store its fields. A `PropertyArray` has three header fields, `map` and `length` and `hash`, which are at offsets `0`, `4` and `8`. Its elements start at offsets `0xc` and are of size `4`. When optimized code is accessing properties in `B.prototype`, it uses the element offset of the field in the `PropertyArray` to directly access the field. For example, in the following, when loading `B.prototype.a`, optimized code will load the element at offset `0xc` from the `PropertyArray`, and the element at offset `0x10` for the field `b`:\n \n \n class B {}\n B.prototype.a = 1;\n B.prototype.b = 2;\n \n\nA dictionary object, on the other hand, stores fields in a `NamedDictionary`. A `NamedDictionary` is implemented using `FixedArray`, however, its element size and header size are different. It has the `map` and `length` fields, but does not have the `hash` field of a `PropertyArray`. In addition, `NamedDictionary` has some extra fields, including `elements`, `deleted` and `capacity`. In particular, when optimized code uses the field offsets from a `PropertyArray` to access a `NamedDictionary`, these extra fields can be overwritten. This, for example, can be used to overwrite the `capacity` of the `NamedDictionary` to cause an out-of-bounds access.\n\n\n\nIn the above, the field offset for field `b` in a `PropertyArray` aligns with that of `capacity` in the `NamedDictionary` and so writing to `b` will overwrite the `capacity` of the `NamedDictionary`. Since `capacity` is used in most bound calculations when accessing a `NamedDictionary`, this can be used to cause an OOB access. \nAs pointed out in [\"Patch-gapping Google Chrome\"](<https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/>) and [\"Exploiting Logic Bugs in JavaScript JIT Engines](<http://www.phrack.org/issues/70/9.html#article>),\u201d the main problem with exploiting an OOB access in a `NamedDictionary` is that, when looking for a key in the dictionary, a random hash is used to translate the key to an index. This randomness causes the layout of the dictionary to change with each run and accessing properties with the same key is going to result in an access of a random offset in the dictionary, which is unreliable and may result in a crash.\n\nTo overcome this, I adopted the solution in [\"Patch-gapping Google Chrome](<https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome/>),\u201d which is to set the `capacity` to a power-of-two plus one. This will cause any key access to the dictionary object to either access the `NamedDictionary` at offset `0`, or at offset `capacity`. By placing objects carefully, I can use the dictionary to access an object placed at the offset `capacity`. While this is not 100% reliable, as there is a chance of accessing an object at offset `0`, the failure would not cause a crash and can be easily detected. So, in case of a failure, I just have to reload the page to reinitialize the random hash and try again. (Another way to exploit this is to follow the approach in Section 4 of [\"Exploiting Logic Bugs in JavaScript JIT Engines.\"](<http://www.phrack.org/issues/70/9.html#article>))\n\nA `NamedDictionary` stores its elements in a tuple of the form `(Key, Value, Attribute)`. When accessing an element with key `k`, the dictionary first converts `k` into an index. In our case, the index is either `0` or the `capacity` of the dictionary. It then checks that the element at the index has the same `Key` as `k`, if it is, `Value` is returned. So, in order to make a successful access, I need to create a fake `NamedDictionary` entry at offset `capacity`. This can be achieved by placing a fast object after the dictionary and using its field values to create the fake entry: a fast object stores its fields in a `PropertyArray`, which stores field values consecutively. By choosing the field values carefully so that the field value at the `capacity` offset of the `NamedDictionary` takes the value of the key `k`, the next value will be returned when the field `k` is accessed in the dictionary object:\n\n\n\nFor example, in the above, an object placed after the corrupted `NamedDictionary` will have some of its fields, `vn`, `vn+1` and `vn+2` stored at the offset corresponding to the corrupted `capacity` of the dictionary. Accessing the field with key `k` has a chance of interpreting `vn`, `vn+1` and `vn+2` as a fake element tuple `(Key = vn, value = vn+1, Attribute = vn+2)`. By setting `vn` to `k`, `vn+1` will be returned as the field `k` of the corrupted dictionary object. The significance of this is that I can now use the corrupted dictionary to create a type confusion.\n\n## Creating type confusion[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#creating-type-confusion>)\n\nThe exploit flow now very much follows that of Section 4 in [\"Exploiting Logic Bugs in JavaScript JIT Engines](<http://www.phrack.org/issues/70/9.html#article>).\u201d In order to create a type confusion, I'll use another optimization in TurboFan. When loading an object property, if the property is known to be an object with a fixed `Map`, then TurboFan will omit `CheckMaps` for the property when it is accessed. For example, in the following function:\n \n \n function tc(x) {\n var obj = x.p1.px;\n obj.x = 100;\n }\n var obj0 = {px : {x : 1}};\n var obj1 = {p0 : str0, p1 : obj0, p2 : 0};\n //optimizing tc\n for (let i = 0; i < 20000; i++) {\n tc(obj1);\n }\n \n\nBecause `tc` has only seen `obj1` as an input when it is optimized, a `CheckMaps` will be inserted to check that `x` has the same `Map` as `obj1`. However, as `obj1.p1` has the same `Map` (the `Map` of `obj0`) throughout, a `CheckMaps` is not inserted to check the `Map` of `x.p1`. In this case, the `Map` of `x.p1` is ensured by checking the `Map` of `x`, as well as installing a compilation dependency that prevents it from changing. However, if I am able to use a memory corruption, such as the OOB access I constructed with the dictionary object, to modify the field `p1` in `obj1`, then I can bypass these checks and cause the optimized code to access `obj` with a wrong `Map`. In particular, I can replace `obj0.px` by an `Array` object, causing `obj.x = 100` to overwrite the length of the `Array`:\n \n \n var corrupted_arr = [1.1];\n var corrupted = {a : corrupted_arr};\n ...\n //Overwrite `obj1.p1` to `corrupted`\n Object.defineProperty(B.prototype, 'aaa', {value : corrupted, writable : true});\n //obj.x = 100 in `tc` now overwrites length of `corrupted_arr`\n tc(obj1);\n \n\nIn the above, I first use the bug to overwrite the `capacity` of the dictionary object `B.prototype`. I then align objects by placing `obj0` behind `B.prototype`, such that the field `aaa` in `B.prototype` now gives me `obj0.px`. Then, by overwriting `aaa` in `B.prototype`, I can change `obj1.p1` to a different object with a different `Map`. As this change does not involve setting a property in `obj1`, it does not invalidate the optimized code in the function `tc`. So, when `tc` is run again, a type confusion occurs and `obj = x.p1.px` will return `corrupted_arr` and setting `obj.x = 100` will set the `length` of `corrupted_arr` to `100`.\n\n\n\nThe above figure shows the field alignments between the objects.\n\n## Gaining code execution[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#gaining-code-execution>)\n\nOnce an OOB access of a double array is achieved, the bug can be exploited as follows:\n\n 1. Place an `Object` `Array` after `corrupted_arr`, and use the OOB read primitive to read the addresses of the objects stored in this array. This allows me to obtain the address of any V8 object.\n 2. Place another double array, `writeArr` after `corrupted_arr`, and use the OOB write primitive in `corrupted_arr` to overwrite the `element` field of `writeArr` to an object address. Accessing the elements of `writeArr` then allows me to read/write to arbitrary addresses.\n 3. While this gives me arbitrary read and write primitives within the V8 heap and also obtains the address of any object, due to the recently introduced [heap sandbox](<https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit>) in V8, the V8 heap becomes fairly isolated and I still won't be able to access arbitrary memory within the renderer process. In particular, I can no longer use the standard method of overwriting the `RWX` pages that are used for storing [WebAssembly](<https://webassembly.org/>) code to achieve code execution. Instead, [JIT spraying](<https://mem2019.github.io/jekyll/update/2022/02/06/DiceCTF-Memory-Hole.html>) can be used to bypass the heap sandbox.\n 4. The idea of JIT spraying is that a pointer to the JIT optimized code of a function is stored in a Javascript `Function` object, by modifying this pointer using arbitrary read and write primitive within the V8 heap, I can make this pointer jump to the middle of the JIT code. If I use data structures, such as a double array, to store shell code as floating point numbers in the JIT code, then jumping to these data structures will allow me to execute arbitrary code. I refer readers to [this post](<https://mem2019.github.io/jekyll/update/2022/02/06/DiceCTF-Memory-Hole.html>) for more details.\n\nThe exploit can be found [here](<https://github.com/github/securitylab/tree/main/SecurityExploits/Chrome/v8/CVE_2023_3420>) with some set up notes.\n\n## Conclusion[](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/#conclusion>)\n\nIncorrect side effect modeling has long been a powerful exploit primitive and has been exploited multiple times, for example, in [CVE-2018-17463](<http://www.phrack.org/issues/70/9.html#article>) and [CVE-2020-6418](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-6418.html>). In this case, the side effect property of the `StackCheck` node has become incorrect due to the introduction of concurrent compilation. This shows how delicate interactions between different and seemingly unrelated parts of Chrome can violate previous assumptions, resulting in often subtle and hard-to-detect issues.\n\nThe post [Getting RCE in Chrome with incorrect side effect in the JIT compiler](<https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/>) appeared first on [The GitHub Blog](<https://github.blog>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-09-26T15:00:54", "type": "github", "title": "Getting RCE in Chrome with incorrect side effect in the JIT compiler", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-17463", "CVE-2020-6418", "CVE-2022-3723", "CVE-2022-38181", "CVE-2022-4135", "CVE-2023-3420"], "modified": "2023-09-26T13:40:31", "id": "GITHUB:A676F2F62483D6BBF709A19DCD8E666B", "href": "https://github.blog/2023-09-26-getting-rce-in-chrome-with-incorrect-side-effect-in-the-jit-compiler/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-10-28T12:06:14", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhv36XpOZ1dAQAOtoI2FJrLTIwbrZmkU8pIotJv8smSt1yHSR5Sbs9DtPNusAAMvajmGc-st695EsqO3w1aNTpm9vxASuSHCLI61DemGb3LaAMW7MDDLo4j30s4iE1DZr2UeTpkEHlUc-WwTo0zqCxLNMlSHPLCRNEDT4wpaWQjgJMl3KhUpK7MKa2Z/s728-e100/chrome-zero-day-vulnerability.jpg>)\n\nGoogle on Thursday rolled out emergency fixes to contain an actively exploited zero-day flaw in its Chrome web browser.\n\nThe [vulnerability](<https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html>), tracked as **CVE-2022-3723**, has been described as a type confusion flaw in the V8 JavaScript engine.\n\nSecurity researchers Jan Vojt\u011b\u0161ek, Mil\u00e1nek, and Przemek Gmerek of Avast have been credited with reporting the flaw on October 25, 2022.\n\n\"Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,\" the internet giant acknowledged in an advisory without getting into more specifics about the nature of the attacks.\n\nCVE-2022-3723 is the third actively exploited type confusion bug in V8 this year after [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) and [CVE-2022-1364](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>).\n\nThe latest fix also marks the resolution of the seventh zero-day in Google Chrome since the start of 2022 -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n * [**CVE-2022-2856**](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>) \\- Insufficient validation of untrusted input in Intents\n * [**CVE-2022-3075**](<https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html>) \\- Insufficient data validation in Mojo\n\nUsers are recommended to upgrade to version 107.0.5304.87 for macOS and Linux and 107.0.5304.87/.88 for Windows to mitigate potential threats.\n\nUsers of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-10-28T10:40:00", "type": "thn", "title": "Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723"], "modified": "2022-10-28T10:58:12", "id": "THN:222F7713CA968509F8C385BA29B0B6A5", "href": "https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-17T06:59:37", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg1CUbcQScbnTemjH3z-9z7l3lye-ZJqruEuNRoONKxyXz0UkWl_skXsdzuxg5Cyw6VemvnadXx5JVa-UgtYCu3ALMbFcng4yzhHI3pVtvVU9eqkmGx2H7nPIMkGapwSvVPx5HY2ASP51LVelcKSJzC0nGN6Hzq-5upm_ZDqq02Ljx_s0wB8inyj242/s728-e365/google-chrome.png>)\n\nGoogle on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year.\n\nTracked as **CVE-2023-2033**, the high-severity vulnerability has been described as a [type confusion issue](<https://cwe.mitre.org/data/definitions/843.html>) in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on April 11, 2023.\n\n\"Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,\" [according](<https://nvd.nist.gov/vuln/detail/CVE-2023-2033>) to the NIST's National Vulnerability Database (NVD).\n\nThe tech giant [acknowledged](<https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html>) that \"an exploit for CVE-2023-2033 exists in the wild,\" but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.\n\nCVE-2023-2033 also appears to share similarities with [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>), [CVE-2022-1364](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>), [CVE-2022-3723](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>), and [CVE-2022-4262](<https://thehackernews.com/2022/12/google-rolls-out-new-chrome-browser.html>) \u2013 four other actively abused type confusion flaws in V8 that were remediated by Google in 2022.\n\nGoogle closed out a total of nine zero-days in Chrome last year. The development comes days after Citizen Lab and Microsoft [disclosed](<https://thehackernews.com/2023/04/israel-based-spyware-firm-quadream.html>) the exploitation of a now-patched flaw in Apple iOS by customers of a shadowy spyware vendor named QuaDream to target journalists, political opposition figures, and an NGO worker in 2021.\n\nIt also comes within a week of Apple releasing updates to patch two actively exploited zero-day vulnerabilities ([CVE-2023-28205 and CVE-2023-28206](<https://thehackernews.com/2023/04/apple-releases-updates-to-address-zero.html>)) in iOS, iPadOS, macOS, and Safari web browser that could lead to arbitrary code execution.\n\nUsers are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-15T03:58:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-1096", "CVE-2022-1364", "CVE-2022-3723", "CVE-2022-4262", "CVE-2023-2033", "CVE-2023-28205", "CVE-2023-28206"], "modified": "2023-04-17T06:21:11", "id": "THN:CDFC216AC6B26D35C38BDB32822B4E96", "href": "https://thehackernews.com/2023/04/google-releases-urgent-chrome-update-to.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-26T04:08:15", "description": "[ ](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEikPLibtmTn8N2H14UEsCbQi0mXDkp7d4sxfUThlf9SHApnBVQaXlzTa5_Y_GROcH_HN9A8cDTE0iaRtCHiFqthOucxRIZyrjEzXxqkiX0DQPciOOULFnJ0I4aob50-m5id5elUHNKFtdF-5Ep-jdQVcYtFgUVENLsQkZIYWjXsuoDDYF_UBh0lc0o2/s728-e100/chrome-update.png>)\n\nGoogle on Thursday released software updates to address yet another zero-day flaw in its Chrome web browser.\n\nTracked as **CVE-2022-4135**, the high-severity vulnerability has been described as a heap buffer overflow in the GPU component. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the flaw on November 22, 2022.\n\nHeap-based buffer overflow bugs can be [weaponized](<https://cwe.mitre.org/data/definitions/122.html>) by threat actors to crash a program or execute arbitrary code, leading to unintended behavior.\n\n\"Google is aware that an exploit for CVE-2022-4135 exists in the wild,\" the tech giant [acknowledged](<https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html>) in an advisory.\n\nBut like other actively exploited issues, technical specifics have been withheld until a majority of the users are updated with a fix and to prevent further abuse.\n\nWith the latest update, Google has resolved eight zero-day vulnerabilities in Chrome since the start of the year -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n * [**CVE-2022-2856**](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>) \\- Insufficient validation of untrusted input in Intents\n * [**CVE-2022-3075**](<https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html>) \\- Insufficient data validation in Mojo\n * [**CVE-2022-3723**](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\nUsers are recommended to upgrade to version 107.0.5304.121 for macOS and Linux and 107.0.5304.121/.122 for Windows to mitigate potential threats.\n\nUsers of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-11-25T13:12:00", "type": "thn", "title": "Update Chrome Browser Now to Patch New Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723", "CVE-2022-4135"], "modified": "2022-11-26T04:07:40", "id": "THN:FFFF05ECDE44C9ED26B53D328B60689B", "href": "https://thehackernews.com/2022/11/update-chrome-browser-now-to-patch-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-05T06:08:51", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi3-1t-O1Y4Oqvj24RGfItVIc7r4d1BOuWfRH4xG5ilh6GX83VydcDH0Fs1xqW5JUvFrpLzvA9ifqmf2lHts3lgA5VStlmb7c1Msk0yFUv5qzEgEjiU3_EPqVJlK4Z6uzMUFoKmnDAHWtOXsYNv7vEG8yG9H-NwH46z-Z7nAKiihKDF7bzl_Y20QXxS/s728-e100/chrome.png>)\n\nSearch giant Google on Friday released an out-of-band security update to fix a new actively exploited zero-day flaw in its Chrome web browser.\n\nThe high-severity flaw, tracked as [CVE-2022-4262](<https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html>), concerns a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on November 29, 2022.\n\nType confusion vulnerabilities could be weaponized by threat actors to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.\n\nAccording to the NIST's National Vulnerability Database, the flaw [permits](<https://nvd.nist.gov/vuln/detail/CVE-2022-4262>) a \"remote attacker to potentially exploit heap corruption via a crafted HTML page.\"\n\nGoogle acknowledged active exploitation of the vulnerability but stopped short of sharing additional specifics to prevent further abuse.\n\nCVE-2022-4262 is the fourth actively exploited type confusion flaw in Chrome that Google has addressed since the start of the year. It's also the ninth zero-day flaw attackers have exploited in the wild in 2022 -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-2294**](<https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html>) \\- Heap buffer overflow in WebRTC\n * [**CVE-2022-2856**](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>) \\- Insufficient validation of untrusted input in Intents\n * [**CVE-2022-3075**](<https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html>) \\- Insufficient data validation in Mojo\n * [**CVE-2022-3723**](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-4135**](<https://thehackernews.com/2022/11/update-chrome-browser-now-to-patch-new.html>) \\- Heap buffer overflow in GPU\n\nUsers are recommended to upgrade to version 108.0.5359.94 for macOS and Linux and 108.0.5359.94/.95 for Windows to mitigate potential threats.\n\nUsers of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2022-12-03T04:41:00", "type": "thn", "title": "Google Rolls Out New Chrome Browser Update to Patch Yet Another Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294", "CVE-2022-2856", "CVE-2022-3075", "CVE-2022-3723", "CVE-2022-4135", "CVE-2022-4262"], "modified": "2022-12-05T04:33:44", "id": "THN:2FB8A3C1E526D1FFA1477D35F0F70BF4", "href": "https://thehackernews.com/2022/12/google-rolls-out-new-chrome-browser.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-03T10:16:37", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPNp0SkYNTlVWjFVObwGW-MHGnGT5EfEFFvLAXvoLJFNLuK4kXvrZBWQoYPCbWvpqd2IRoQ-ZWFcmFegr25XTfv7FhNX2ZOP_lTwzkL7xSr_WTK2vXLwsBr4SyKPw0yN1f70WSbzi4S1O7X6TMkJO7p78HEcBfEYBlF6HvTDZzqObqFyAPQPK5sRnB/s728-e365/zero-day.png>)\n\nA number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed.\n\nThe two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. The scale of the two campaigns and the nature of the targets are currently unknown.\n\n\"These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house,\" TAG's Clement Lecigne [said](<https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/>) in a new report.\n\n\"While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers, and opposition party politicians.\"\n\nThe first of the two operations took place in November 2022 and involved sending shortened links over SMS messages to users located in Italy, Malaysia, and Kazakhstan.\n\nUpon clicking, the URLs redirected the recipients to web pages hosting exploits for Android or iOS, before they were redirected again to legitimate news or shipment-tracking websites.\n\nThe iOS exploit chain leveraged multiple bugs, including [CVE-2022-42856](<https://thehackernews.com/2022/12/new-actively-exploited-zero-day.html>) (a then zero-day), [CVE-2021-30900](<https://nvd.nist.gov/vuln/detail/CVE-2021-30900>), and a pointer authentication code ([PAC](<https://thehackernews.com/2022/06/mit-researchers-discover-new-flaw-in.html>)) [bypass](<https://bugs.webkit.org/show_bug.cgi?id=237867>), to install an [.IPA file](<https://en.wikipedia.org/wiki/.ipa>) onto the susceptible device.\n\nThe Android exploit chain comprised three exploits \u2013 [CVE-2022-3723](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>), [CVE-2022-4135](<https://thehackernews.com/2022/11/update-chrome-browser-now-to-patch-new.html>) (a zero-day at the time of abuse), and [CVE-2022-38181](<https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities>) \u2013 to deliver an unspecified payload.\n\nWhile [CVE-2022-38181](<https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/>), a privilege escalation bug affecting Mali GPU Kernel Driver, was patched by Arm in August 2022, it's not known if the adversary was already in possession of an exploit for the flaw prior to the release of the patch.\n\nAnother point of note is that Android users who clicked on the link and opened it in Samsung Internet Browser were redirected to Chrome using a method called [intent redirection](<https://developer.android.com/topic/security/risks/intent-redirection>).\n\nThe second campaign, observed in December 2022, consisted of several zero-days and n-days targeting the latest version of Samsung Internet Browser, with the exploits delivered as one-time links via SMS to devices located in the U.A.E.\n\nThe web page, similar to those that were used by Spanish spyware company [Variston IT](<https://thehackernews.com/2022/12/google-accuses-spanish-spyware-vendor.html>), ultimately implanted a C++-based malicious toolkit capable of harvesting data from chat and browser applications.\n\nThe flaws exploited constitute [CVE-2022-4262](<https://thehackernews.com/2022/12/google-rolls-out-new-chrome-browser.html>), [CVE-2022-3038](<https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html>), [CVE-2022-22706](<https://nvd.nist.gov/vuln/detail/CVE-2022-22706>), [CVE-2023-0266](<https://nvd.nist.gov/vuln/detail/CVE-2023-0266>), and [CVE-2023-26083](<https://nvd.nist.gov/vuln/detail/cve-2023-26083>). The exploit chain is believed to have been used by a customer or partner of Variston IT.\n\nAmnesty International, in a coordinated report, described the December 2022 hacking campaign as advanced and sophisticated and that the exploit is \"developed by a commercial cyber surveillance company and sold to governments hackers to carry out targeted spyware attacks.\"\n\n\"The newly discovered spyware campaign has been active since at least 2020 and targeted mobile and desktop devices, including users of Google's Android operating system,\" the international non-governmental organization [said](<https://www.amnesty.org/en/latest/news/2023/03/new-android-hacking-campaign-linked-to-mercenary-spyware-company/>). \"The spyware and zero-day exploits were delivered from an extensive network of more than [1,000 malicious domains](<https://github.com/AmnestyTech/investigations/tree/master/2023-03-29_android_campaign>), including domains spoofing media websites in multiple countries.\"\n\nThe revelations come just days after the U.S. government announced an [executive order](<https://thehackernews.com/2023/03/president-biden-signs-executive-order.html>) restricting federal agencies from using commercial spyware that presents a national security risk.\n\n\"These campaigns are a reminder that the commercial spyware industry continues to thrive,\" Lecigne said. \"Even smaller surveillance vendors have access to zero-days, and vendors stockpiling and using zero-day vulnerabilities in secret pose a severe risk to the Internet.\"\n\n\"These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-03-29T13:52:00", "type": "thn", "title": "Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30900", "CVE-2022-22706", "CVE-2022-3038", "CVE-2022-3723", "CVE-2022-38181", "CVE-2022-4135", "CVE-2022-4262", "CVE-2022-42856", "CVE-2023-0266", "CVE-2023-26083"], "modified": "2023-04-03T08:20:27", "id": "THN:C9CB70D59541495680ADDB984FFECDD0", "href": "https://thehackernews.com/2023/03/spyware-vendors-caught-exploiting-zero.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-12-21T08:09:51", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhRGuKS_Ai-L-qiVZdEFGn7uK-IPJWG7OVJuc14ve1BQhS-DNzadyzsxrWDZzT_U-4vHn6Ci6QMVpvC32Z9Li0cvsB5fhO8hcudaqdzaDodQHH9QqF5OxHP1q0hc6lDsxiiiI78HVvCuWDAkmFsBVbFyfojw4TprpKxvvi71j3A6So9cmZFQUnnk7Km/s728-e100/windows.jpg>)\n\nMicrosoft's latest round of monthly security updates has been released with fixes for [68 vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Nov>) spanning its software portfolio, including patches for six actively exploited zero-days.\n\n12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by [OpenSSL](<https://thehackernews.com/2022/11/just-in-openssl-releases-patch-for-2.html>) the previous week.\n\nAlso separately [addressed](<https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) in Microsoft Edge at the start of the month is an actively exploited flaw in Chromium-based browsers ([CVE-2022-3723](<https://thehackernews.com/2022/10/google-issues-urgent-chrome-update-to.html>)) that was plugged by Google as part of an out-of-band update late last month.\n\n\"The big news is that [two older zero-day CVEs](<https://thehackernews.com/2022/10/microsoft-issues-improved-mitigations.html>) affecting Exchange Server, made public at the end of September, have finally been fixed,\" Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News.\n\n\"Customers are advised to update their [Exchange Server systems](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045>) immediately, regardless of whether any previously recommended mitigation steps have been applied. The mitigation rules are no longer recommended once systems have been patched.\"\n\nThe list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows -\n\n * [**CVE-2022-41040**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040>) (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell)\n * [**CVE-2022-41082**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082>) (CVSS score: 8.0) - Microsoft Exchange Server Remote Code Execution Vulnerability (aka ProxyNotShell)\n * [**CVE-2022-41128**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41128>) (CVSS score: 8.8) - Windows Scripting Languages Remote Code Execution Vulnerability\n * [**CVE-2022-41125**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41125>) (CVSS score: 7.8) - Windows CNG Key Isolation Service Elevation of Privilege Vulnerability\n * [**CVE-2022-41073**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073>) (CVSS score: 7.8) - Windows Print Spooler Elevation of Privilege Vulnerability\n * [**CVE-2022-41091**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41091>) (CVSS score: 5.4) - Windows Mark of the Web Security Feature Bypass Vulnerability\n\nBeno\u00eet Sevens and Cl\u00e9ment Lecigne of Google's Threat Analysis Group (TAG) have been credited with reporting CVE-2022-41128, which resides in the JScript9 component and occurs when a target is tricked into visiting a specially crafted website.\n\nCVE-2022-41091 is one of the [two security bypass flaws](<https://thehackernews.com/2022/10/unofficial-patch-released-for-new.html>) in Windows Mark of the Web (MoTW) that came to light over the past few months. It was recently discovered as weaponized by the Magniber ransomware actor to target users with fake software updates.\n\n\"An attacker can craft a malicious file that would evade Mark of the Web (MotW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging,\" Microsoft said in an advisory.\n\nThe second MotW flaw to be resolved is [CVE-2022-41049](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41049>) (aka [ZippyReads](<https://twitter.com/wdormann/status/1590044005395357697>)). Reported by Analygence security researcher Will Dormann, it [relates](<https://breakdev.org/zip-motw-bug-analysis/>) to a failure to set the Mark of the Web flag to extracted archive files.\n\nThe two privilege escalation flaws in Print Spooler and the [CNG Key Isolation Service](<https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval>) are likely to be abused by threat actors as a follow-up to an initial compromise and gain SYSTEM privileges, Kev Breen, director of cyber threat research at Immersive Labs, said.\n\n\"This higher level of access is required to disable or tamper with security monitoring tools before running credential attacks with tools like Mimikatz that can allow attackers to move laterally across a network,\" Breen added.\n\nFour other Critical-rated vulnerabilities in the November patch worth pointing out are privilege elevation flaws in Windows [Kerberos](<https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb>) ([CVE-2022-37967](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37967>)), [Kerberos RC4-HMAC](<https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d>) ([CVE-2022-37966](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966>)), and Microsoft Exchange Server ([CVE-2022-41080](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080>)), and a denial-of-service flaw affecting Windows Hyper-V ([CVE-2022-38015](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-38015>)).\n\nThe list of fixes for Critical flaws is tailended by four remote code execution vulnerabilities in the Point-to-Point Tunneling Protocol ([PPTP](<https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol>)), all carrying CVSS scores of 8.1 ([CVE-2022-41039](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41039>), [CVE-2022-41088](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41088>), and [CVE-2022-41044](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41044>)), and another impacting Windows scripting languages JScript9 and Chakra ([CVE-2022-41118](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41118>)).\n\nIn addition to these issues, the Patch Tuesday update also resolves a number of remote code execution flaws in Microsoft Excel, Word, ODBC Driver, Office Graphics, SharePoint Server, and Visual Studio, as well as a handful of privilege escalation bugs in Win32k, Overlay Filter, and Group Policy.\n\n### Software Patches from Other Vendors\n\nMicrosoft aside, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including \u2014\n\n * [AMD](<https://www.amd.com/en/corporate/product-security>)\n * [Android](<https://source.android.com/docs/security/bulletin/2022-11-01>)\n * [Apple](<https://support.apple.com/en-us/HT213496>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [CODESYS](<https://www.codesys.com/security/security-reports.html>)\n * [Dell](<https://www.dell.com/support/security/>)\n * [F5](<https://support.f5.com/csp/new-updated-articles>)\n * [Fortinet](<https://www.fortiguard.com/psirt?date=11-2022>)\n * [GitLab](<https://about.gitlab.com/releases/2022/11/02/security-release-gitlab-15-5-2-released/>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop.html>)\n * [HP](<https://support.hp.com/us-en/security-bulletins>)\n * [IBM](<https://www.ibm.com/support/pages/bulletin/>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [Juniper Networks](<https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=\\[Security%20Advisories\\]>)\n * [Lenovo](<https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories>)\n * Linux distributions [Debian](<https://www.debian.org/security/2022/>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21::::RP::>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=1&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=PortalProduct>), [SUSE](<https://www.suse.com/support/update/>), and [Ubuntu](<https://ubuntu.com/security/notices>)\n * [MediaTek](<https://corp.mediatek.com/product-security-bulletin/November-2022>)\n * [NVIDIA](<https://www.nvidia.com/en-us/security/>)\n * [Qualcomm](<https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2022-bulletin.html>)\n * [SAP](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [Trend Micro](<https://success.trendmicro.com/dcx/s/vulnerability-response?language=en_US>)\n * [VMware](<https://www.vmware.com/security/advisories.html>), and\n * [WordPress](<https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/>)\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-09T05:16:00", "type": "thn", "title": "Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3723", "CVE-2022-37966", "CVE-2022-37967", "CVE-2022-38015", "CVE-2022-41039", "CVE-2022-41040", "CVE-2022-41044", "CVE-2022-41049", "CVE-2022-41073", "CVE-2022-41080", "CVE-2022-41082", "CVE-2022-41088", "CVE-2022-41091", "CVE-2022-41118", "CVE-2022-41125", "CVE-2022-41128"], "modified": "2022-12-21T07:24:53", "id": "THN:31DAA0B9538D69BB42EFB6567298FF49", "href": "https://thehackernews.com/2022/11/install-latest-windows-update-asap.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "mageia": [{"lastseen": "2023-12-03T17:33:22", "description": "The chromium-browser-stable package has been updated to the new 107 branch with the 107.0.5304.87 version, fixing many bugs and 15 vulnerabilities, together with 107.0.5304.68. Some of the security fixes are: High CVE-2022-3652: Type Confusion in V8. Reported by srodulv and ZNMchtss at S.S.L Team on 2022-09-30 High CVE-2022-3653: Heap buffer overflow in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-08-19 High CVE-2022-3654: Use after free in Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-09-19 Medium CVE-2022-3655: Heap buffer overflow in Media Galleries. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-07-11 Medium CVE-2022-3656: Insufficient data validation in File System. Reported by Ron Masas, Imperva on 2022-07-18 Medium CVE-2022-3657: Use after free in Extensions. Reported by Omri Bushari, Talon Cyber Security on 2022-08-09 Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-08-14 Medium CVE-2022-3659: Use after free in Accessibility. Reported by @ginggilBesel on 2022-08-23 Medium CVE-2022-3660: Inappropriate implementation in Full screen mode. Reported by Irvan Kurniawan (sourc7) on 2022-05-20 Low CVE-2022-3661: Insufficient data validation in Extensions. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2022-08-04 High CVE-2022-3723: Type Confusion in V8. Reported by Jan Vojt\u011b\u0161ek, Mil\u00e1nek, and Przemek Gmerek of Avast on 2022-10-25 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-13T05:25:20", "type": "mageia", "title": "Updated chromium-browser-stable packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3652", "CVE-2022-3653", "CVE-2022-3654", "CVE-2022-3655", "CVE-2022-3656", "CVE-2022-3657", "CVE-2022-3658", "CVE-2022-3659", "CVE-2022-3660", "CVE-2022-3661", "CVE-2022-3723"], "modified": "2022-11-13T05:25:20", "id": "MGASA-2022-0419", "href": "https://advisories.mageia.org/MGASA-2022-0419.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2022-11-02T20:40:53", "description": "An update that fixes 11 vulnerabilities is now available.\n\nDescription:\n\n This update for chromium fixes the following issues:\n\n Chromium 107.0.5304.87 (boo#1204819)\n\n * CVE-2022-3723: Type Confusion in V8\n\n Chromium 107.0.5304.68 (boo#1204732)\n\n * CVE-2022-3652: Type Confusion in V8\n * CVE-2022-3653: Heap buffer overflow in Vulkan\n * CVE-2022-3654: Use after free in Layout\n * CVE-2022-3655: Heap buffer overflow in Media Galleries\n * CVE-2022-3656: Insufficient data validation in File System\n * CVE-2022-3657: Use after free in Extensions\n * CVE-2022-3658: Use after free in Feedback service on Chrome OS\n * CVE-2022-3659: Use after free in Accessibility\n * CVE-2022-3660: Inappropriate implementation in Full screen mode\n * CVE-2022-3661: Insufficient data validation in Extensions\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP4:\n\n zypper in -t patch openSUSE-2022-10180=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-31T00:00:00", "type": "suse", "title": "Security update for chromium (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-3652", "CVE-2022-3653", "CVE-2022-3654", "CVE-2022-3655", "CVE-2022-3656", "CVE-2022-3657", "CVE-2022-3658", "CVE-2022-3659", "CVE-2022-3660", "CVE-2022-3661", "CVE-2022-3723"], "modified": "2022-10-31T00:00:00", "id": "OPENSUSE-SU-2022:10180-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3DL7MSB2KL4PJBOEPFHVNU2YH353TPTY/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-02T20:40:53", "description": "An update that fixes 11 vulnerabilities is now available.\n\nDescription:\n\n This update for chromium fixes the following issues:\n\n Chromium 107.0.5304.87 (boo#1204819)\n\n * CVE-2022-3723: Type Confusion in V8\n\n Chromium 107.0.5304.68 (boo#1204732)\n\n * CVE-2022-3652: Type Confusion in V8\n * CVE-2022-3653: Heap buffer overflow in Vulkan\n * CVE-2022-3654: Use after free in Layout\n * CVE-2022-3655: Heap buffer overflow in Media Galleries\n * CVE-2022-3656: Insufficient data validation in File System\n * CVE-2022-3657: Use after free in Extensions\n * CVE-2022-3658: Use after free in Feedback service on Chrome OS\n * CVE-2022-3659: Use after free in Accessibility\n * CVE-2022-3660: Inappropriate implementation in Full screen mode\n * CVE-2022-3661: Insufficient data validation in Extensions\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP3:\n\n zypper in -t patch openSUSE-2022-10177=1", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-31T00:00:00", "type": "suse", "title": "Security update for chromium (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-3652", "CVE-2022-3653", "CVE-2022-3654", "CVE-2022-3655", "CVE-2022-3656", "CVE-2022-3657", "CVE-2022-3658", "CVE-2022-3659", "CVE-2022-3660", "CVE-2022-3661", "CVE-2022-3723"], "modified": "2022-10-31T00:00:00", "id": "OPENSUSE-SU-2022:10177-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C5ZTHS4CVKMHGRNVO5FNFQEVHUH3FEZU/", "cvss": {"score": 0.0, "vector": "NONE"}}], "avleonov": [{"lastseen": "2023-05-27T16:20:16", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source [Vulristics](<https://github.com/leonov-av/vulristics>) project to create the report.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239107>\n\nThe most important news of this Patch Tuesday was a release of patches for ProxyNotShell **Remote Code Execution** - Microsoft Exchange (CVE-2022-41040, CVE-2022-41082) [mentioned in the previous episode](<https://avleonov.com/2022/10/29/microsoft-patch-tuesday-october-2022-exchange-proxynotshell-rce-windows-com-eop-ad-eop-azure-arc-kubernetes-eop/>). These vulnerabilities became public on September 28, and updates for this vulnerability did not appear until November 8. Microsoft could have acted more quickly. But it's good that the problem with these actively exploited vulnerabilities is finally solved.\n\nBut besides ProxyNotShell, this November Patch Tuesday had a lot of interesting vulnerabilities. Let's take a look.\n \n \n $ cat comments_links.txt \n Qualys|November 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/2022/11/08/november-2022-patch-tuesday\n ZDI|THE NOVEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/11/8/the-november-2022-security-update-review\n \n $ python3.8 process_classify_ms_products.py # Automated classifier for Microsoft products\n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"November\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n ...\n Creating Patch Tuesday profile...\n MS PT Year: 2022\n MS PT Month: November\n MS PT Date: 2022-11-08\n MS PT CVEs found: 66\n Ext MS PT Date from: 2022-10-12\n Ext MS PT Date to: 2022-11-07\n Ext MS PT CVEs found: 17\n ALL MS PT CVEs: 83\n ...\n\nAll vulnerabilities: 82 \nUrgent: 1 \nCritical: 6 \nHigh: 19 \nMedium: 56 \nLow: 0\n\nLet's start with vulnerabilities for which there is an exploit or signs of exploitation in the wild.\n\n 1. **Remote Code Execution** - Windows Scripting Languages (CVE-2022-41128). Critical RCE affecting the JScript9 scripting language (Microsoft\u2019s legacy JavaScript dialect, used by their Internet Explorer browser). It has been exploited in the wild and successful exploitation requires a user with an affected version of Windows to visit a malicious, attacker controlled server. In doing so, the attackers would get their code to execute on an affected system at the level of the logged-on user. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit).\n 2. **Security Feature Bypass** - Windows Mark of the Web (CVE-2022-41049, CVE-2022-41091). MoTW is a security feature used to tag files downloaded from the internet and prevent them from performing certain actions. Files flagged with MoTW would be opened in Protected View in Microsoft Office \u2014 prompting users with a security warning banner asking them to confirm the document is trusted by selecting Enable content. A malicious actor could craft a file that could bypass MoTW \u201cresulting in a limited loss of integrity and availability of security features such as Protected View.\u201d The existence of a public exploit for CVE-2022-41049 is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). Exploitation in the wild is mentioned on Vulners ([cisa_kev](<https://vulners.com/cisa_kev/CISA-KEV-CVE-2022-41091>) object), [AttackerKB](<https://attackerkb.com/topics/CTBamfnfiU/cve-2022-41091>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41091>) websites.\n 3. **Remote Code Execution** - OpenSSL (CVE-2022-3602). The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and is known to be affected: Azure SDK for C++, \nvcpkg, Microsoft Azure Kubernetes Service. The existence of a public exploit is mentioned on Vulners website. \n 4. **Memory Corruption** - Microsoft Edge (CVE-2022-3723). This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Exploitation in the wild is mentioned on Vulners ([cisa_kev](<https://vulners.com/cisa_kev/CISA-KEV-CVE-2022-3723>) object) and [AttackerKB](<https://attackerkb.com/topics/4dXwXSTpmo/cve-2022-3723>) websites.\n 5. **Elevation of Privilege** - Windows CNG Key Isolation Service (CVE-2022-41125). An attacker can abuse this bug to run their code with SYSTEM privileges. They would need to be authenticated, which is why bugs like these are often paired with some form of remote code execution exploit. Exploitation in the wild is mentioned on Vulners ([cisa_kev](<https://vulners.com/cisa_kev/CISA-KEV-CVE-2022-41125>) object), [AttackerKB](<https://attackerkb.com/topics/bqlIxPxukc/cve-2022-41125>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125>) websites\n 6. **Elevation of Privilege** - Windows Print Spooler (CVE-2022-41073). The legacy of PrintNightmare continues as threat actors continue to mine the vast attack surface that is the Windows Print Spooler. While we\u2019ve seen plenty of other patches since PrintNightmare, this one is listed as being in the wild. Exploitation in the wild is mentioned on Vulners ([cisa_kev](<https://vulners.com/cisa_kev/CISA-KEV-CVE-2022-41073>) object), [AttackerKB](<https://attackerkb.com/topics/FcUYdZ2YUm/cve-2022-41073>), [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073>) websites.\n\nNow let's look at vulnerabilities for which there are no public exploits or signs of exploitation in the wild, but the descriptions of which are interesting enough to pay attention to.\n\n 1. **Elevation of Privilege** - Kerberos (CVE-2022-37966). Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment. Vulnerability Exploitability Assessment: Exploitation More Likely. Also pay attention to **Elevation of Privilege** - Kerberos (CVE-2022-37967). \n 2. **Elevation of Privilege** - Microsoft Exchange (CVE-2022-41080). The technical details are unknown, and an exploit is not publicly available. Applying a patch is able to eliminate this problem.\n 3. **Elevation of Privilege** - Netlogon RPC (CVE-2022-38023). Exploitability Assessment: Exploitation More Likely.\n\nFull Vulristics report: [ms_patch_tuesday_november2022](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_november2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-25T20:56:48", "type": "avleonov", "title": "Microsoft Patch Tuesday November 2022: Exchange ProxyNotShell RCE, JScript9, MoTW, OpenSSL, Edge, CNG, Print Spooler", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3602", "CVE-2022-3723", "CVE-2022-37966", "CVE-2022-37967", "CVE-2022-38023", "CVE-2022-41040", "CVE-2022-41049", "CVE-2022-41073", "CVE-2022-41080", "CVE-2022-41082", "CVE-2022-41091", "CVE-2022-41125", "CVE-2022-41128"], "modified": "2022-11-25T20:56:48", "id": "AVLEONOV:B4AA36B0AF8AA2D059C914E5F2B15CC0", "href": "https://avleonov.com/2022/11/25/microsoft-patch-tuesday-november-2022-exchange-proxynotshell-rce-jscript9-motw-openssl-edge-cng-print-spooler/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "altlinux": [{"lastseen": "2023-05-08T23:16:53", "description": "23.1.2.1033-alt1 built April 4, 2023 Yandex Browser Team in task #317282\n\nMarch 20, 2023 Yandex Browser Team\n \n \n - browser updated to 23.1.2\n + High CVE-2022-4436: Use after free in Blink Media.\n + High CVE-2022-4437: Use after free in Mojo IPC.\n + High CVE-2022-4438: Use after free in Blink Frames.\n + High CVE-2022-4439: Use after free in Aura.\n + Medium CVE-2022-4440: Use after free in Profiles.\n + High CVE-2022-4262: Type Confusion in V8.\n + High CVE-2022-4174: Type Confusion in V8.\n + High CVE-2022-4175: Use after free in Camera Capture.\n + High CVE-2022-4176: Out of bounds write in Lacros Graphics.\n + High CVE-2022-4177: Use after free in Extensions.\n + High CVE-2022-4178: Use after free in Mojo.\n + High CVE-2022-4179: Use after free in Audio.\n + High CVE-2022-4180: Use after free in Mojo.\n + High CVE-2022-4181: Use after free in Forms.\n + Medium CVE-2022-4182: Inappropriate implementation in Fenced Frames.\n + Medium CVE-2022-4183: Insufficient policy enforcement in Popup Blocker.\n + Medium CVE-2022-4184: Insufficient policy enforcement in Autofill.\n + Medium CVE-2022-4185: Inappropriate implementation in Navigation.\n + Medium CVE-2022-4186: Insufficient validation of untrusted input in Downloads.\n + Medium CVE-2022-4187: Insufficient policy enforcement in DevTools.\n + Medium CVE-2022-4188: Insufficient validation of untrusted input in CORS.\n + Medium CVE-2022-4189: Insufficient policy enforcement in DevTools.\n + Medium CVE-2022-4190: Insufficient data validation in Directory.\n + Medium CVE-2022-4191: Use after free in Sign-In.\n + Medium CVE-2022-4192: Use after free in Live Caption.\n + Medium CVE-2022-4193: Insufficient policy enforcement in File System API.\n + Medium CVE-2022-4194: Use after free in Accessibility.\n + Medium CVE-2022-4195: Insufficient policy enforcement in Safe Browsing.\n + High CVE-2022-4135: Heap buffer overflow in GPU.\n + High CVE-2022-3885: Use after free in V8.\n + High CVE-2022-3886: Use after free in Speech Recognition.\n + High CVE-2022-3887: Use after free in Web Workers.\n + High CVE-2022-3888: Use after free in WebCodecs.\n + High CVE-2022-3889: Type Confusion in V8.\n + High CVE-2022-3890: Heap buffer overflow in Crashpad.\n + High CVE-2022-3723: Type Confusion in V8.\n + High CVE-2022-3652: Type Confusion in V8.\n + High CVE-2022-3653: Heap buffer overflow in Vulkan.\n + High CVE-2022-3654: Use after free in Layout.\n + Medium CVE-2022-3655: Heap buffer overflow in Media Galleries.\n + Medium CVE-2022-3656: Insufficient data validation in File System.\n + Medium CVE-2022-3657: Use after free in Extensions.\n + Medium CVE-2022-3658: Use after free in Feedback service on Chrome OS.\n + Medium CVE-2022-3659: Use after free in Accessibility.\n + Medium CVE-2022-3660: Inappropriate implementation in Full screen mode.\n + Low CVE-2022-3661: Insufficient data validation in Extensions.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-04-04T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 10 package yandex-browser-stable version 23.1.2.1033-alt1", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-3652", "CVE-2022-3653", "CVE-2022-3654", "CVE-2022-3655", "CVE-2022-3656", "CVE-2022-3657", "CVE-2022-3658", "CVE-2022-3659", "CVE-2022-3660", "CVE-2022-3661", "CVE-2022-3723", "CVE-2022-3885", "CVE-2022-3886", "CVE-2022-3887", "CVE-2022-3888", "CVE-2022-3889", "CVE-2022-3890", "CVE-2022-4135", "CVE-2022-4174", "CVE-2022-4175", "CVE-2022-4176", "CVE-2022-4177", "CVE-2022-4178", "CVE-2022-4179", "CVE-2022-4180", "CVE-2022-4181", "CVE-2022-4182", "CVE-2022-4183", "CVE-2022-4184", "CVE-2022-4185", "CVE-2022-4186", "CVE-2022-4187", "CVE-2022-4188", "CVE-2022-4189", "CVE-2022-4190", "CVE-2022-4191", "CVE-2022-4192", "CVE-2022-4193", "CVE-2022-4194", "CVE-2022-4195", "CVE-2022-4262", "CVE-2022-4436", "CVE-2022-4437", "CVE-2022-4438", "CVE-2022-4439", "CVE-2022-4440"], "modified": "2023-04-04T00:00:00", "id": "AF33DF2FCB7CD238CA2AC81CF198F71E", "href": "https://packages.altlinux.org/en/p10/srpms/yandex-browser-stable/", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2023-12-03T17:33:57", "description": "### Background\n\nChromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. Google Chrome is one fast, simple, and secure browser for all your devices. Microsoft Edge is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Chromium, Google Chrome, Microsoft Edge. Please review the CVE identifiers referenced below for details.\n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Chromium users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/chromium-109.0.5414.74-r1\"\n \n\nAll Chromium binary users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/chromium-bin-109.0.5414.74\"\n \n\nAll Google Chrome users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/google-chrome-109.0.5414.74\"\n \n\nAll Microsoft Edge users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/microsoft-edge-109.0.1518.61\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2023-05-03T00:00:00", "type": "gentoo", "title": "Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-3445", "CVE-2022-3446", "CVE-2022-3447", "CVE-2022-3448", "CVE-2022-3449", "CVE-2022-3450", "CVE-2022-3723", "CVE-2022-41115", "CVE-2022-4135", "CVE-2022-4174", "CVE-2022-4175", "CVE-2022-4176", "CVE-2022-4177", "CVE-2022-4178", "CVE-2022-4179", "CVE-2022-4180", "CVE-2022-4181", "CVE-2022-4182", "CVE-2022-4183", "CVE-2022-4184", "CVE-2022-4185", "CVE-2022-4186", "CVE-2022-4187", "CVE-2022-4188", "CVE-2022-4189", "CVE-2022-4190", "CVE-2022-4191", "CVE-2022-4192", "CVE-2022-4193", "CVE-2022-4194", "CVE-2022-4195", "CVE-2022-4436", "CVE-2022-4437", "CVE-2022-4438", "CVE-2022-4439", "CVE-2022-4440", "CVE-2022-44688", "CVE-2022-44708", "CVE-2023-0128", "CVE-2023-0129", "CVE-2023-0130", "CVE-2023-0131", "CVE-2023-0132", "CVE-2023-0133", "CVE-2023-0134", "CVE-2023-0135", "CVE-2023-0136", "CVE-2023-0137", "CVE-2023-0138", "CVE-2023-0139", "CVE-2023-0140", "CVE-2023-0141", "CVE-2023-21719", "CVE-2023-21775", "CVE-2023-21795", "CVE-2023-21796"], "modified": "2023-05-03T00:00:00", "id": "GLSA-202305-10", "href": "https://security.gentoo.org/glsa/202305-10", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
CVE-2022-3723
