ChromeOS Remote Memory Corruption Flaw

Microsoft identified a memory corruption vulnerability in ChromeOS triggered remotely, which could allow attackers to carry out either a denial-of-service (DoS) or remote code execution (RCE).

Researchers mention that the flaw could be remotely triggered by manipulating audio metadata. Attackers would have tempted the users by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely.

EHA

The critical flaw is tracked as CVE-2022-2587 (CVSS score of 9.8) and the flaw was patched in June. 

Security Features on ChromeOS

In general, ChromeOS is a Linux-based operating system derived from the open-source Chromium OS and uses the Google Chrome web browser as its principal user interface. It runs on Chromebooks, Chromeboxes, Chromebits, and Chromebases.

  • Hardened sandbox (called minijail)
  • Verified boot
  • Locked-down filesystem (mounted with noexec, nosuid, nodev) and dm-verity
  • Root user restrictions (SECURE_NOROOT)
  • When development mode is entered, all locally stored data is wiped

ChromeOS Vulnerabilities Fall into One of Three Different Classes:

  • ChromeOS-specific logic vulnerabilities
  • ChromeOS-specific memory-corruption vulnerabilities
  • Broader threats such as Chrome browser vulnerabilities

The discovered vulnerability falls under the second class, ChromeOS-specific memory-corruption vulnerabilities.

“It was clear that the vulnerability could be triggered via changes to the audio metadata”, Researchers from Microsoft

Researchers state two interesting cases that could both be triggered remotely:

  • From the browser: the browser’s media component invokes the function when metadata is changed, such as when playing a new song in the browser.
  • From Bluetooth: the media session service in the operating system invokes the function when a song’s metadata changes, which can happen when playing a new song from a paired Bluetooth device.

Call tree displaying how the browser or Bluetooth media metadata changes ultimately trigger the vulnerable function

The flaw was identified in the CRAS (ChromiumOS Audio Server) component and could be triggered using malformed metadata associated with songs.

According to Microsoft, “The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE.”

“Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code”.

How to Defend Against the Evolving Threat?

Microsoft suggests organizations strictly monitor all devices and operating systems across platforms, including unmanaged devices. 

Microsoft Defender for Endpoint’s device discovery capabilities helps out organizations locate unmanaged devices, including those running ChromeOS, and discover if they are being operated by attackers when they start performing network interactions with servers and other managed devices.

Download Free SWG – Secure Web Filtering – E-book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.