Description Preview
Overview
This vulnerability (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization) affects the stateful recovery feature in Chrome OS. The issue stems from improper handling of symlinks combined with a race condition in the cryptohomed component. The vulnerability allows for persistence of malicious code running with root privileges. An attacker with local access could exploit this vulnerability by using a specially crafted HTML page to execute arbitrary code with elevated privileges, potentially leading to full system compromise. The race condition occurs during resource access operations, allowing an attacker to manipulate the system during a small window of opportunity between operations.
Remediation
Users should update their Chrome OS devices to version 61.0.3163.113 or later, which contains the fix for this vulnerability. Google has addressed this issue in the stable channel update for Chrome OS released in October 2017. System administrators should ensure that all Chrome OS devices within their organization are updated to the patched version. Additionally, standard security practices should be followed, including limiting local access to Chrome OS devices to trusted users only and implementing the principle of least privilege for all user accounts.
References
- Chrome OS Stable Channel Update announcement: https://chromereleases.googleblog.com/2017/10/stable-channel-updates-for-chrome-os.html
- Chrome Bug Tracker issue: https://crbug.com/766276
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization: https://cwe.mitre.org/data/definitions/362.html
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing
- Health Care & Social AssistanceHealth Care & Social Assistance
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- InformationInformation
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
