Microsoft publicly discloses details on critical ChromeOS flaw

Pierluigi Paganini August 23, 2022

Microsoft shared technical details of a critical ChromeOS flaw that could be exploited to trigger a DoS condition or for remote code execution.

Microsoft shared details of a critical ChromeOS vulnerability tracked as CVE-2022-2587 (CVSS score of 9.8). The flaw is an out-of-bounds write issue in OS Audio Server that could be exploited to trigger a DoS condition or, under specific circumstances, to achieve remote code execution.

“Microsoft discovered a memory corruption vulnerability in a ChromeOS component that can be triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE).” reads the advisory published by Microsoft.

Microsoft reported the issue to Google in April 2022 as a part of the Chromium bug tracking system.

Google addressed the vulnerability in June, an attacker can trigger the flaw using malformed metadata associated with the songs.

Microsoft discovered a function in the server that did not check a user-supplied ‘identity’ argument, leading to a heap-based buffer overflow.

The OS Audio Server contains a method that extracts the ‘identity’ from metadata representing a song’s title. An attacker can trigger the flaw by modifying the audio metadata either from the browser or via Bluetooth when a new song is being played.

“we discovered the vulnerability could be remotely triggered by manipulating audio metadata. Attackers could have lured users into meeting these conditions, such as by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely.” continues the advisory. “The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE. Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ChromeOS)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment