CVE-2020-16043:Insufficient data validation in Google Chrome's networking component allows remote attackers to bypass discretionary access controls.

splash
Back

Description Preview

CVE-2020-16043 affects Google Chrome versions prior to 87.0.4280.141. The vulnerability stems from insufficient data validation in the networking component of Chrome, which could allow a remote attacker to bypass discretionary access control mechanisms through specially crafted network traffic. This could potentially lead to unauthorized access to resources that should be protected by access controls.

Overview

This vulnerability in Google Chrome's networking component represents a security flaw where input data is not properly validated. When exploited, an attacker can bypass discretionary access controls (DAC), which are security mechanisms that restrict access to objects based on the identity of subjects and/or groups to which they belong. The issue affects all Chrome installations prior to version 87.0.4280.141 across multiple platforms. The exact technical details of the exploitation method have not been publicly disclosed, as the bug report (crbug.com/1148309) requires special permissions to access.

Remediation

Users and administrators should take the following actions to mitigate this vulnerability:

  1. Update Google Chrome to version 87.0.4280.141 or later.
  2. For managed environments, ensure that automatic updates are enabled or deploy the updated version through your standard software distribution mechanisms.
  3. If immediate updating is not possible, consider implementing network-level controls to restrict potentially malicious network traffic.
  4. Users of Fedora, Debian, and Gentoo Linux distributions should apply their respective security updates as referenced in the advisory links.
  5. Verify the update was successful by checking Chrome's version (Help > About Google Chrome).

References

  1. Google Chrome Release Blog: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html
  2. Chrome Bug Tracker (restricted access): https://crbug.com/1148309
  3. Fedora Security Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
  4. Additional Fedora Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
  5. Gentoo Linux Security Advisory: https://security.gentoo.org/glsa/202101-05
  6. Debian Security Advisory: https://www.debian.org/security/2021/dsa-4832

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Public Administration: Medium
    Public Administration
  3. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  4. Educational Services: Medium
    Educational Services
  5. Transportation & Warehousing: Medium
    Transportation & Warehousing
  6. Retail Trade: Medium
    Retail Trade
  7. Finance and Insurance: Medium
    Finance and Insurance
  8. Professional, Scientific, & Technical Services: Medium
    Professional, Scientific, & Technical Services
  9. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  10. Utilities: Low
    Utilities
  11. Information: Low
    Information
  12. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Construction: Low
    Construction
  18. Mining: Low
    Mining
  19. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background