CVE-2020-16043:Insufficient data validation in Google Chrome's networking component allows remote attackers to bypass discretionary access controls.

splash
Back

Description Preview

CVE-2020-16043 affects Google Chrome versions prior to 87.0.4280.141. The vulnerability stems from insufficient data validation in the networking component of Chrome, which could allow a remote attacker to bypass discretionary access control mechanisms through specially crafted network traffic. This could potentially lead to unauthorized access to resources that should be protected by access controls.

Overview

This vulnerability in Google Chrome's networking component represents a security flaw where input data is not properly validated. When exploited, an attacker can bypass discretionary access controls (DAC), which are security mechanisms that restrict access to objects based on the identity of subjects and/or groups to which they belong. The issue affects all Chrome installations prior to version 87.0.4280.141 across multiple platforms. The exact technical details of the exploitation method have not been publicly disclosed, as the bug report (crbug.com/1148309) requires special permissions to access.

Remediation

Users and administrators should take the following actions to mitigate this vulnerability:

  1. Update Google Chrome to version 87.0.4280.141 or later.
  2. For managed environments, ensure that automatic updates are enabled or deploy the updated version through your standard software distribution mechanisms.
  3. If immediate updating is not possible, consider implementing network-level controls to restrict potentially malicious network traffic.
  4. Users of Fedora, Debian, and Gentoo Linux distributions should apply their respective security updates as referenced in the advisory links.
  5. Verify the update was successful by checking Chrome's version (Help > About Google Chrome).

References

  1. Google Chrome Release Blog: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html
  2. Chrome Bug Tracker (restricted access): https://crbug.com/1148309
  3. Fedora Security Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VVUWIJKZTZTG6G475OR6PP4WPQBVM6PS/
  4. Additional Fedora Advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6P6AVVFP7B2M4H7TJQBASRZIBLOTUFN/
  5. Gentoo Linux Security Advisory: https://security.gentoo.org/glsa/202101-05
  6. Debian Security Advisory: https://www.debian.org/security/2021/dsa-4832

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  3. Public Administration: Medium
    Public Administration
  4. Educational Services: Medium
    Educational Services
  5. Transportation & Warehousing: Medium
    Transportation & Warehousing
  6. Finance and Insurance: Low
    Finance and Insurance
  7. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  8. Retail Trade: Low
    Retail Trade
  9. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  10. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  11. Utilities: Low
    Utilities
  12. Information: Low
    Information
  13. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  16. Mining: Low
    Mining
  17. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  18. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  19. Construction: Low
    Construction
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background