Google Chrome FileReader Vulnerability

By

Several days after quietly patching Chrome, Google warned to update it “right this minute” because of reports that an exploit exists. Remediate by upgrading to version 72.0.3626.121 or higher immediately.

Overview

On March 1, 2019, Google quietly patched Chrome, then announced days later the update had fixed CVE-2019-5786, a vulnerability discovered by Google researcher Clement Lecigne in February 2019. Google made the announcement due to the existence of exploits in the wild. Google rates the issue as high severity.

Neither MITRE nor NIST have write ups for this CVE in their databases at the time of this writing. Searching on CVE-2019-5786 at either site retrieves a placeholder page.

As of March 12, 2019, CVE-2019-5786 and CVE-2019-0808 are being exploited alongside each other to create APT attacks on end users running Windows 7 and Windows Server 2008.

Technical Overview

The CVE-2019-5786 vulnerability exists in Chrome’s FileReader API, and exploits a memory flaw called a Use-After-Free condition that either allows an attacker to run arbitrary code outside of Chrome’s security sandbox or crash the browser. The FileReader API is intended to allow the browser to read and access locally stored files.

An attacker can use this flaw by placing the exploit on a specially crafted web page and getting would-be victims to view it.

The CVE-2019-0808 vulnerability affects a Window32k component and is being exploited by an authenticated attack to elevate privileges and execute arbitrary code in kernel mode. Researcher have disclosed a step-by-step proof-of-concept (POC) to be able to manipulate these vulnerability together. The researchers are expecting to be seeing quite a few attacks due to the fact of the disclosure.

Attackers are using both CVE-2019-5786 and CVE-2019-0808 vulnerabilities alongside each other to cause APT attacks.

Potential Impact

For CVE-2019-5789 the attacker can run arbitrary code on your machine. The potential impact is nearly limitless, and includes loss or destruction of data, system outages, and malicious code running on your systems.

While the most likely target of this flaw is Windows systems, the flaw exists in all versions of Chrome for all operating systems.

Attackers have been combining CVE-2019-5789 with a CVE-2019-0808, a memory flaw in Microsoft Windows’ Win32k components that allows elevation of privilege to kernel mode. This allows an attacker to gain persistence on the machine. Microsoft patched CVE-2019-0808 as part of its March 2019 Patch Tuesday updates. The Chinese security firm Qihoo 360 published details of these attacks on March 14, 2019.

What You Should Do

For CVE-2019-5786, update to Chrome version 72.0.3626.121 or newer as soon as possible. This includes Chrome on other Operating Systems such as macOS and Linux. To verify the version you are running on the client-side, enter the URL chrome://settings/help.

To patch CVE-2019-0808, apply Microsoft KB4489878 for Windows 7 or KB4489880for Windows Server 2008 as soon as possible.

Tenable customers can scan their networks using plugin ID 700422 to detect CVE-2019-5786.

Qualys customers need to use several QIDs depending on the host operating system to detect CVE-2019-5786. The combination of QIDs 371679, 237145, and 176630 will detect CVE-2019-5786 across multiple operating systems. Qualys customers can also navigate to VM > Assets > Application and search for Chrome to see what versions are running in their environment. The list is exportable in CSV format.

Tenable customers can scan their networks using plugin ID 122783 to detect CVE-2019-0808.

Qualys customers can use the QID 91510 to detect CVE-2019-0808.

Windows 10, Windows Server 2012, and Windows Server 2016 are not affected by CVE-2019-0808 because of additional mitigations inherent to those operating systems. Running the newest operating system from Microsoft whenever possible is a best practice.

Chrome provides user feedback indicating when it needs an update by placing an arrow in the upper right corner of its screen next to the menu icon, but in limited testing vSOC found the arrow doesn’t necessarily show 100% of the time. An example screenshot appears below.

 

deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

Subscribe to the deepwatch Insider Blog