Google has released patches for several high-severity vulnerabilities in its Chrome browser with the rollout of Chrome 87 for Windows, Mac and Linux users.
Overall, Google fixed 33 vulnerabilities in its latest version, Chrome 87.0.4280.66, which is being rolled out over the coming days. This includes one high-severity CVE (CVE-2020-16022) that could allow a remote attacker to bypass security restrictions and access any Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port on a victimās computer. This issue was disclosed on Oct. 31 by Samy Kamkar, security researcher and co-founder of Openpath, who called the attack āNAT slipstreaming.ā
āSlipstreaming is easy to exploit as itās essentially entirely automated and works cross-browser and cross-platform, and doesnāt require any user interaction other than visiting the victim site,ā Kamkar told Threatpost.
At a high level, an attacker could remotely exploit the flaw by persuading a victim to visit a specially crafted website (via social engineering and other tactics). The attacker would then be able to bypass security restrictions.
āNAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victimās NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website,ā Kamkar said in his analysis of the issue.
The attack specifically centralizes around Network Address Translation (NAT), which translates the IP addresses of computers in a local network to a single IP address. NAT allows a single device (like a router) to act as an agent between the Internet and a local network ā meaning that a single unique IP address is required to represent an entire group of computers to anything outside their network.
In order to launch an attack, the victimās device must also have the Application Level Gateway (ALG) connection tracking mechanism thatās built into NATs. NAT Slipstreaming exploits the userās browser in conjunction with ALG.
āThis attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010),ā said Kamkar.
Google said the issue here is caused by an insufficient policy enforcement in networking. However, Kamkar said he doesnāt consider NAT Slipstreaming to be technically a flaw as thereās no actual ābugā in browsers or routers and both are doing exactly as theyāre supposed to. āRather itās an unexpected side-effect of a complex interaction between the two systems thatās being exploited,ā he told Threatpost.
Other browsers ā including Mozilla Firefox and Chromium rendering engine Blink ā have plans in the works to release their own updates addressing this problem.
Google released patches for several other high-severity vulnerabilities ā however, as is typical for the browser, it stayed mum on the details of the bugs āuntil the majority of users are updated with a fix.ā
Other flaws include a use-after-free glitch (CVE-2020-16018) in the payments component of Chrome, reported by Man Yue Mo of GitHub Security Lab; as well as a use-after-free error in Googleās PPAPI browser plug-in interface (CVE-2020-16014) reported by Rong Jian and Leecraso of 360 Alpha Lab.
Two high-severity āinappropriate implementationsā were also discovered ā one in the filesystem component (CVE-2020-16019) and one in the cryptohome component (CVE-2020-16020). Both were discovered by Rory McNamara.
And, heap buffer overflow bugs were also discovered in the UI (CVE-2020-16024) and clipboard (CVE-2020-16025) components. Both were reported by Sergei Glazunov of Google Project Zero.
This most recent Chrome update comes a week after two high-severity zero day vulnerabilities were disclosed in the Chrome desktop browser. The two flaws (CVE-2020-16013 and CVE-2020-16017) have been actively exploited in the wild, and allow an unauthenticated, remote attacker to compromise an affected system via the web. A stable channel update, 86.0.4240.198 for Windows, Mac and Linux, was released last week that addressed the flaws.
Hackers Put Bullseye on Healthcare:On Nov. 18 at 2 p.m. EDT** find out why hospitals are getting hammered by ransomware attacks in 2020.Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this**LIVE, limited-engagement webinar.
bugzilla.mozilla.org/show_bug.cgi?id=1674735
chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
nvd.nist.gov/vuln/detail/CVE-2020-16022
samy.pl/slipstream/#other-findings
threatpost.com/2-zero-day-bugs-google-chrome/161160/
threatpost.com/newsletter-sign/
threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar
threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar
threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar
threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART-Bottom-Image&utm_campaign=Nov_webinar