Microsoft publicly discloses details on critical ChromeOS flaw

Microsoft shared technical details of a critical ChromeOS flaw that could be exploited to trigger a DoS condition or for remote code execution.

Microsoft shared details of a critical ChromeOS vulnerability tracked as CVE-2022-2587 (CVSS score of 9.8). The flaw is an out-of-bounds write issue in OS Audio Server that could be exploited to trigger a DoS condition or, under specific circumstances, to achieve remote code execution.

“Microsoft discovered a memory corruption vulnerability in a ChromeOS component that can be triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE).” reads the advisory published by Microsoft.

Microsoft reported the issue to Google in April 2022 as a part of the Chromium bug tracking system.

Google addressed the vulnerability in June, an attacker can trigger the flaw using malformed metadata associated with the songs.

Microsoft discovered a function in the server that did not check a user-supplied ‘identity’ argument, leading to a heap-based buffer overflow.

The OS Audio Server contains a method that extracts the ‘identity’ from metadata representing a song’s title. An attacker can trigger the flaw by modifying the audio metadata either from the browser or via Bluetooth when a new song is being played.

“we discovered the vulnerability could be remotely triggered by manipulating audio metadata. Attackers could have lured users into meeting these conditions, such as by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely.” continues the advisory. “The impact of heap-based buffer overflow ranges from simple DoS to full-fledged RCE. Although it’s possible to allocate and free chunks through media metadata manipulation, performing the precise heap-grooming is not trivial in this case and attackers would need to chain the exploit with other vulnerabilities to successfully execute any arbitrary code.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ChromeOS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.