High-Severity Remote Code Execution Vulnerability in Google Chrome
A high-severity ‘use-after-free vulnerability tracked as CVE-2020-6492 with a CVSSv3 base score of 8.3 exists in WebGL [Web Graphics Library] component of the Google Chrome web browser that could be used to execute arbitrary code in the context of the browser process.
A high-severity ‘use-after-free vulnerability tracked as CVE-2020-6492 with a CVSSv3 base score of 8.3 exists in WebGL [Web Graphics Library] component of the Google Chrome web browser that could be used to execute arbitrary code in the context of the browser process.
WebGL (Web Graphics Library) is a JavaScript API for rendering high-performance interactive 3D and 2D graphics within any compatible web browser without using plug-ins. A Use-after-free, identified as CWE-416 by Mitre, is an attempt to access a memory block after it has been freed which leads to a direct memory crash, usage of unexpected values, or execution of arbitrary code.
An attacker who tries to exploit these vulnerabilities can disclose sensitive information, bypass security restrictions, crash the application or even execute arbitrary code in the context of the browser by redirecting them to a specially crafted webpage.
Vulnerability Details:
The CVE-2020-6492 vulnerability was discovered by Cisco Talos’ research engineer Marcin Towalski. The vulnerability arises when a WebGL component fails to properly handle objects in memory. It specifically resides in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome browser uses on Windows systems.
For exploitation of the vulnerability, an attacker could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free flaw, which could ultimately lead to arbitrary code execution.
According to the vulnerabilityadvisory released by the researchers, the issue exists in a function of ANGLE, called “State::syncTextures” which is responsible for checking if the texture has any so-called DirtyBits. These are “bitsets” indicating if a specific state value, associated with a block of computer memory, has been changed.
An attacker could use a function called “drawArraysInstanced” to execute vulnerable code. When the sync texture object tries to sync state through ‘Texture::syncState‘ function it creates a use after free condition. Thus, leading cause a program to crash or can potentially result in the execution of arbitrary code.
Affected products
Google Chrome versions 85.0.4183.83 and prior.
Impact
This vulnerability could allow a remote attacker to execute arbitrary code on the affected systems.
Solution
The CVE-2020-6492 was expected to be fixed in the latest Chrome 85 release but according to the Chrome release updates, we could not confirm if the vulnerability was addressed.
