Published in News

ChromeOS had severe security vulnerability

by on23 August 2022


Pointed out by Microsoft 

Microsoft has found a severe ChromeOS security vulnerability and even told Google about it in April.

The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022 and detailed by Redmond in a report released on Friday.

What is funny about the vulnerablity is that it was really bad, existed due to bad Google coding, and the fact it is usually Google's Project Zero group pointing to bugs in Microsoft software.

Google was also particularly nasty about the discovery of its flaws. It normally disclosed bugs after 90 days – even if a patch had not been released.  While this did mean that companies responded to security flaws quicker sometimes the patches were worse than the bugs.

The ChromeOS memory corruption vulnerability – CVE-2022-2587 – was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux.

A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.

"To the experienced security engineer, the mention of the strcpy function immediately raises red flags. The strcpy function is known to cause various memory corruption vulnerabilities since it doesn’t perform any bounds check and is therefore considered unsafe. As there are no bounds checks on the user-supplied identity argument before invoking strcpy (besides the default message length limitations for D-Bus messages), we were confident we could trigger a heap-based buffer overflow, therefore triggering a memory corruption vulnerability."

Bar Or allows that while turning this bug into a remote code execution exploit would be a lot of work it's dangerous enough to justify Google's rapid response.

"We were impressed with the speed of the fix and the effectiveness of the overall process. Within less than a week, the code was committed and, after several merges, made generally available to users. We thank the Google team and the Chromium community for their efforts in addressing the issue."

 

Last modified on 23 August 2022
Rate this item
(1 Vote)

Read more about: