ChromeOS Remote Memory Corruption Flaw Let Attackers Perform DoS Attack

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing
Microsoft identified a memory corruption vulnerability in ChromeOS triggered remotely, which could allow attackers to carry out either a denial-of-service (DoS) or remote code execution (RCE).

Researchers mention that the flaw could be remotely triggered by manipulating audio metadata. Attackers would have tempted the users by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely.

The critical flaw is tracked as CVE-2022-2587 (CVSS score of 9.8) and the flaw was patched in June.

Security Features on ChromeOS

In general, ChromeOS is a Linux-based operating system derived from the open-source Chromium OS and uses the Google Chrome web browser as its principal user interface. It runs on Chromebooks, Chromeboxes, Chromebits, and Chromebases.

Call tree displaying how the browser or Bluetooth media metadata changes ultimately trigger the vulnerable function

The flaw was identified in the CRAS (ChromiumOS Audio Server) component and could be triggered using malformed metadata associated with songs.

According to Microsoft, “The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE.”

“Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code”.

How to Defend Against the Evolving Threat?

Microsoft suggests organizations strictly monitor all devices and operating systems across platforms, including unmanaged devices.

Microsoft Defender for Endpoint’s device discovery capabilities helps out organizations locate unmanaged devices, including those running ChromeOS, and discover if they are being operated by attackers when they start performing network interactions with servers and other managed devices.