Google Chrome users who were relieved by patching the recent zero-day advisory are taken aback by the news of another PoC exploit posted on Twitter by a security researcher, Frust. This affects the recent version of Chrome, 89.0.4389.128, which was the fix for the first zero-day vulnerability of the week. The reporters claim even current versions of Microsoft Edge. Other Chromium-based browsers also to be vulnerable to the attack. This recent zero-day posted on Twitter is not yet assigned with any CVE but is assigned with a chromium issue id 1195777. The PoC posted by the researcher is also on GitHub. It contains a video demonstrating the Remote Code Execution exploitation on Google Chrome version 89.0.4389.128 that triggered the issue to open the Windows Notepad application. Vulnerabilities need to be found using a vulnerability management tool.
This PoC exploit is to notice after the release of the first Chrome advisory of the week for fixing two zero-day vulnerabilities in it: CVE-2021-21206 and CVE-2021-21220. The Indian security researcher Rajvardhan Agarwal has released a PoC. Related to these two CVEs and announced its availability on Twitter. A patch management tool can patch these CVEs.
Zero-Day PoC exploit CVE-2021-21206
Google Chrome’s browser engine Blink is the vulnerable component, used to convert HTML code to a beautiful webpage. The issue was by an anonymous person on 2021-04-07.
Zero-Day PoC exploit CVE-2021-21220
Google Chrome’s browser engine V8 for x86_64 is the vulnerable component, which uses convert scripts to machine code without producing intermediate code. The issue by Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 2021-04-07.
Google added in the advisory,
Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.
Frust and the recent zero-day Remote Code Execution vulnerabilities cannot escape from Chromium’s sandbox security feature, which prevents exploits from executing code or accessing files on host computers. The attackers need to chain these vulnerabilities with the sandbox escape exploit for the attack to succeed. Google Chrome released another advisory on April 14th, which fixed around 37 security vulnerabilities in version 90.0.4430.72. This advisory also dint talk about the Frust RCE zero-day issue 1195777 posted on Twitter. Unless the users disable the sandbox, Frust zero-day vulnerability in its default state cannot harm users. Chrome users may have to wait some time for the details to publish about this particular vulnerability.
Affected Products by PoC exploit
Google Chrome version before 89.0.4389.128.
Impact
The Use after free and Insufficient validation of untrusted input vulnerabilities allows attackers to execute arbitrary code on the affected system.
Solution
Google has released the security updates addressing the issue in Google Chrome version 89.0.4389.128.
SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Use SanerNow to keep your systems updated and secure.