• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
03.07.19

Vulnerability SPOT Report

Google Chrome FileReader Vulnerability

By Dave Farquhar

Several days after quietly patching Chrome, Google warned to update it “right this minute” because of reports that an exploit exists. Remediate by upgrading to version 72.0.3626.121 or higher immediately.

Overview

On March 1, 2019, Google quietly patched Chrome, then announced days later the update had fixed CVE-2019-5786, a vulnerability discovered by Google researcher Clement Lecigne in February 2019. Google made the announcement due to the existence of exploits in the wild. Google rates the issue as high severity.

Neither MITRE nor NIST have write ups for this CVE in their databases at the time of this writing. Searching on CVE-2019-5786 at either site retrieves a placeholder page.

As of March 12, 2019, CVE-2019-5786 and CVE-2019-0808 are being exploited alongside each other to create APT attacks on end users running Windows 7 and Windows Server 2008.

Technical Overview

The CVE-2019-5786 vulnerability exists in Chrome’s FileReader API, and exploits a memory flaw called a Use-After-Free condition that either allows an attacker to run arbitrary code outside of Chrome’s security sandbox or crash the browser. The FileReader API is intended to allow the browser to read and access locally stored files.

An attacker can use this flaw by placing the exploit on a specially crafted web page and getting would-be victims to view it.

The CVE-2019-0808 vulnerability affects a Window32k component and is being exploited by an authenticated attack to elevate privileges and execute arbitrary code in kernel mode. Researcher have disclosed a step-by-step proof-of-concept (POC) to be able to manipulate these vulnerability together. The researchers are expecting to be seeing quite a few attacks due to the fact of the disclosure.

Attackers are using both CVE-2019-5786 and CVE-2019-0808 vulnerabilities alongside each other to cause APT attacks.

Potential Impact

For CVE-2019-5789 the attacker can run arbitrary code on your machine. The potential impact is nearly limitless, and includes loss or destruction of data, system outages, and malicious code running on your systems.

While the most likely target of this flaw is Windows systems, the flaw exists in all versions of Chrome for all operating systems.

Attackers have been combining CVE-2019-5789 with a CVE-2019-0808, a memory flaw in Microsoft Windows’ Win32k components that allows elevation of privilege to kernel mode. This allows an attacker to gain persistence on the machine. Microsoft patched CVE-2019-0808 as part of its March 2019 Patch Tuesday updates. The Chinese security firm Qihoo 360 published details of these attacks on March 14, 2019.

What You Should Do

For CVE-2019-5786, update to Chrome version 72.0.3626.121 or newer as soon as possible. This includes Chrome on other Operating Systems such as macOS and Linux. To verify the version you are running on the client-side, enter the URL chrome://settings/help.

To patch CVE-2019-0808, apply Microsoft KB4489878 for Windows 7 or KB4489880for Windows Server 2008 as soon as possible.

Tenable customers can scan their networks using plugin ID 700422 to detect CVE-2019-5786.

Qualys customers need to use several QIDs depending on the host operating system to detect CVE-2019-5786. The combination of QIDs 371679, 237145, and 176630 will detect CVE-2019-5786 across multiple operating systems. Qualys customers can also navigate to VM > Assets > Application and search for Chrome to see what versions are running in their environment. The list is exportable in CSV format.

Tenable customers can scan their networks using plugin ID 122783 to detect CVE-2019-0808.

Qualys customers can use the QID 91510 to detect CVE-2019-0808.

Windows 10, Windows Server 2012, and Windows Server 2016 are not affected by CVE-2019-0808 because of additional mitigations inherent to those operating systems. Running the newest operating system from Microsoft whenever possible is a best practice.

Chrome provides user feedback indicating when it needs an update by placing an arrow in the upper right corner of its screen next to the menu icon, but in limited testing vSOC found the arrow doesn’t necessarily show 100% of the time. An example screenshot appears below.

 

deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

  • https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/
  • https://www.zdnet.com/article/google-reveals-chrome-zero-day-under-active-attacks/
  • https://www.bleepingcomputer.com/news/security/google-chrome-update-patches-zero-day-actively-exploited-in-the-wild/
  • https://thehackernews.com/2019/03/update-google-chrome-hack.html
  • https://securityaffairs.co/wordpress/82428/hacking/cve-2019-0808-win-flaw.html
  • https://www.securityweek.com/details-actively-exploited-windows-flaw-made-public
  • http://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Dave Farquhar

Dave Farquhar is deepwatch’s vulnerability management onboarding engineer. His background includes 10 years of patching experience and 10 years of security experience. After hours, he is a model train enthusiast and a prolific blogger.

Related Posts

Vulnerability SPOT Report

02.25.21

CVE-2021-21972 - Vulnerability Found in VMware vCenter Servers and Cloud Foundation

read more

Vulnerability SPOT Report

01.27.21

Sudo Vulnerability

read more

Vulnerability SPOT Report

11.04.20

Oracle WebLogic Vulnerability

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top