CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-069

DATE(S) ISSUED:

05/19/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There is currently no reports of these vulnerabilities being exploited in the wild.

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows:

  • CVE-2020-6465: Use after free in reader mode.
  • CVE-2020-6466: Use after free in media.
  • CVE-2020-6467: Use after free in WebRTC.
  • CVE-2020-6468: Type Confusion in V8.
  • CVE-2020-6469: Insufficient policy enforcement in developer tools.
  • CVE-2020-6470: Insufficient validation of untrusted input in clipboard.
  • CVE-2020-6471: Insufficient policy enforcement in developer tools.
  • CVE-2020-6472: Insufficient policy enforcement in developer tools.
  • CVE-2020-6473: Insufficient policy enforcement in Blink.
  • CVE-2020-6474: Use after free in Blink.
  • CVE-2020-6475: Incorrect security UI in full screen.
  • CVE-2020-6476: Insufficient policy enforcement in tab strip.
  • CVE-2020-6477: Inappropriate implementation in installer.
  • CVE-2020-6478: Inappropriate implementation in full screen.
  • CVE-2020-6479: Inappropriate implementation in sharing.
  • CVE-2020-6480: Insufficient policy enforcement in enterprise.
  • CVE-2020-6481: Insufficient policy enforcement in URL formatting.
  • CVE-2020-6482: Insufficient policy enforcement in developer tools.
  • CVE-2020-6483: Insufficient policy enforcement in payments.
  • CVE-2020-6484: Insufficient data validation in ChromeDriver.
  • CVE-2020-6485: Insufficient data validation in media router.
  • CVE-2020-6486: Insufficient policy enforcement in navigations.
  • CVE-2020-6487: Insufficient policy enforcement in downloads.
  • CVE-2020-6488: Insufficient policy enforcement in downloads.
  • CVE-2020-6489: Inappropriate implementation in developer tools.
  • CVE-2020-6490: Insufficient data validation in loader.
  • CVE-2020-6491: Incorrect security UI in site information.

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6469 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6470 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6481 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6483 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6484 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6486 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6488 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6489 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6490 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6491

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0

Pencil Blog post 06 Aug 2020
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0