| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Jan 2018 11:05:14 -0500 From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com> To: fulldisclosure@...lists.org Subject: [FD] ChromeOS Doesn’t Always Use SSL During Startup [CVE-2017-15397] [Original at: https://wwws.nightwatchcybersecurity.com/2018/01/01/chromeos-doesnt-always-use-ssl-during-startup-cve-2017-15397/] SUMMARY ChromeOS did not use SSL in all network calls originating from the ChromeVox component during startup. This could potentially have allowed an MITM attacker to inject content into ChromeOS or crash the device. The vendor (Google) fixed this issue in Chrome M62. Google has assigned CVE-2017-15397 to track this issue. DETAILS ChromeOS is the operating system developed by Google that runs on ChromeBook devices. It is build on top of Linux and around the Chrome browser. By monitoring network traffic using a proxy we noticed that some network calls originating from the ChromeVox component did not use SSL. These calls occured during the startup process before a user logged in. Because these calls did not use SSL, it would be possible for an MITM attacker, in theory, to either inject their own content into ChromeOS, or crash the device by sending a very large packet. We did not conduct any follow-up testing to confirm either of these two possibilities. To reproduce: 1. Setup a proxy with WiFi. 2. Switch ChromeOS device to use proxy. 3. Restart the device and on the login screen enable ChromeVox. 4. Observe calls to HTTP without SSL. All testing was done on an Acer ChromeBook, running Chrome version 51.0.2704.106 *stable) and ChromeOS version 8172.62.0 (stable). VENDOR RESPONSE This issue was responsibly reported to the vendor via the Chromium bug tracker. The vendor fixed this issue in ChromeOS release M62 and assigned CVE-2017-15397 to track it. REFERENCES CVE ID: CVE-2017-15397 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15397 Chromium Bug # 627300 - https://bugs.chromium.org/p/chromium/issues/detail?id=627300 Bounty Information This bug qualified for a bounty under the terms of the Google Chrome Rewardsbounty program, and a bounty payment has been received. Credits Advisory written by Yakov Shafranovich. Timeline 2016-07-12: Initial report to the vendor 2017-09-18: Issue patched by the vendor 2017-10-26: CVE assigned by the vendor 2018-01-01: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists