Makers of the Chrome, Firefox and Edge browsers are urging users to patch critical vulnerabilities that if exploited allow hackers to hijack systems running the software.
The Mozilla Firefox vulnerability (CVE-2020-16044) is separate from a bug reported in Google’s browser engine Chromium, which is used in the Google Chrome browser and Microsoft’s latest version of its Edge browser.
On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) urged users of Mozilla Foundation’s Firefox browser to patch a bug, tracked as CVE-2020-16044, and rated as critical. The vulnerability is classified as a use-after-free bug and tied to the way Firefox handles browser cookies and if exploited allows hackers to gain access to the computer, phone or tablet running the browser software.
Impacted are Firefox browser versions released prior to the recently released Firefox desktop 84.0.2, Firefox Android 84.1.3 edition and also Mozilla’s corporate ESR 78.6.1 version of Firefox.
“A malicious peer could have modified a COOKIE-ECHO chunk in a SCTP packet in a way that potentially resulted in a use-after-free. We presume that with enough effort it could have been exploited to run arbitrary code,” according to a Mozilla security bulletin posted Thursday.
The acronym SCTP stands for Stream Control Transmission Protocol, used in computer networking to communicate protocol data within the Transport Layer of the internet protocol suite, or TCP/IP. The bug is tied to the way cookie data is handled by SCTP.
Each inbound SCTP packet contains a cookie chunk that facilitates a corresponding reply from the browser’s cookie. A COOKIE ECHO chunk is a snippet of data sent during the initialization of the SCTP connection with the browser.
According to Mozilla an adversary could craft a malicious COOKIE-ECHO chunk to impact the browser’s memory. A use-after-free vulnerability relates to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a description of the vulnerability.
Mozilla did not credit the bug discovery, nor did it state whether it was a vulnerability actively being exploited in the wild.
Also on Thursday, CISA urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software. The CISA-bug warning stated that the update to the latest version of the Chrome browser would “addresses vulnerabilities that an attacker could exploit to take control of an affected system.”
Because Microsoft’s latest Edge browser is based on Google Chromium browser engine, Microsoft also urged its users to update to the latest 87.0.664.75 version of its Edge browser.
While researchers at Tenable classify the out-of-bounds bug as critical, both Google and Microsoft classified the vulnerability as high severity. Tencent Security Xuanwu Lab researcher Bohan Liu is credited for finding and reporting the bug.
Interestingly, the CVE-2020-15995 bug dates back to a Chrome for Android update security bulletin Google’s published on October 2020. At the time, the bug was also classified as high-severity. The flaw is identified as an “out of bounds write in V8”, bug originally found in September 2020 by Liu.
A heap corruption is a type of memory corruption that occurs in a computer program when the contents of a memory location are modified due to programmatic behavior — malicious or not — that exceeds the intention of the original programmer or program language parameters. A so-called heap-smashing attack can be used to exploit instances of heap corruption, according to an academic paper (PDF) co-authored by Nektarios Georgios Tsoutsos, student member of IEEE and Michail Maniatakos, senior member of IEEE.
“Heap Smashing Attacks exploit dynamic memory allocators (e.g. ,malloc) by corrupting the control structures defining the heap itself. By overflowing a heap block, attackers could overwrite adjacent heap headers that chain different heap blocks, and eventually cause the dynamic memory allocator to modify arbitrary memory locations as soon as a heap free operation is executed. The malicious payload can also be generated on-the-fly: for example, by exploiting Just-In-Time (JIT) compilation, assembled code can be written on the heap,” they wrote.
Neither Microsoft nor Google explain why the October 2020 CVE-2020-15995 is being featured again in both their Thursday security bulletins. Typically, that’s an indication that the original fix was incomplete.
Twelve additional bugs were reported by Google, impacting its Chromium browser engine. Both Google and Microsoft featured the same list of vulnerabilities (CVE-2021-21106, CVE-2021-21107, CVE-2021-21108, CVE-2021-21109, CVE-2021-21110, CVE-2021-21111, CVE-2021-21112, CVE-2021-21113, CVE-2021-21114, CVE-2021-21115, CVE-2021-21116, CVE-2020-16043).
The majority of the bugs were rated high-severity and tied to use-after-free bugs. Three of the vulnerabilities earned bug hunters $20,000 for their efforts. Weipeng Jiang from Codesafe Team of Legendsec at Qi’anxin Group is credited for finding both $20,000 bugs (CVE-2021-21106 and CVE-2021-21107). The first, a use-after-free bug tied to Chromium’s autofill function and the second a use-after-free bug in the Chromium media component.
Leecraso and Guang Gong of 360 Alpha Lab earned $20,000 for a CVE-2021-21108, also a use-after-free bug in the browser’s media component.
No technical details were disclosed and typically aren’t until its determined that most Chrome browsers have been updated.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar — Jan. 20, 2 p.m. ET.