Cyber Security News

ChromeOS Remote Memory Corruption Flaw Let Attackers Perform DoS Attack

Microsoft identified a memory corruption vulnerability in ChromeOS triggered remotely, which could allow attackers to carry out either a denial-of-service (DoS) or remote code execution (RCE).

Researchers mention that the flaw could be remotely triggered by manipulating audio metadata. Attackers would have tempted the users by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely.

The critical flaw is tracked as CVE-2022-2587 (CVSS score of 9.8) and the flaw was patched in June. 

Security Features on ChromeOS

In general, ChromeOS is a Linux-based operating system derived from the open-source Chromium OS and uses the Google Chrome web browser as its principal user interface. It runs on Chromebooks, Chromeboxes, Chromebits, and Chromebases.

  • Hardened sandbox (called minijail)
  • Verified boot
  • Locked-down filesystem (mounted with noexec, nosuid, nodev) and dm-verity
  • Root user restrictions (SECURE_NOROOT)
  • When development mode is entered, all locally stored data is wiped

ChromeOS Vulnerabilities Fall into One of Three Different Classes:

  • ChromeOS-specific logic vulnerabilities
  • ChromeOS-specific memory-corruption vulnerabilities
  • Broader threats such as Chrome browser vulnerabilities

The discovered vulnerability falls under the second class, ChromeOS-specific memory-corruption vulnerabilities.

“It was clear that the vulnerability could be triggered via changes to the audio metadata”, Researchers from Microsoft

Researchers state two interesting cases that could both be triggered remotely:

  • From the browser: the browser’s media component invokes the function when metadata is changed, such as when playing a new song in the browser.
  • From Bluetooth: the media session service in the operating system invokes the function when a song’s metadata changes, which can happen when playing a new song from a paired Bluetooth device.

Call tree displaying how the browser or Bluetooth media metadata changes ultimately trigger the vulnerable function

The flaw was identified in the CRAS (ChromiumOS Audio Server) component and could be triggered using malformed metadata associated with songs.

According to Microsoft, “The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE.”

“Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code”.

How to Defend Against the Evolving Threat?

Microsoft suggests organizations strictly monitor all devices and operating systems across platforms, including unmanaged devices. 

Microsoft Defender for Endpoint’s device discovery capabilities helps out organizations locate unmanaged devices, including those running ChromeOS, and discover if they are being operated by attackers when they start performing network interactions with servers and other managed devices.

Download Free SWG – Secure Web Filtering – E-book


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

WhatsApp Secret Code Feature Lets Users Set Unique Locked Chat Passwords

WhatsApp has announced the rollout of a new feature to safeguard sensitive conversations. The Secret…

4 mins ago

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

16 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

18 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

19 hours ago