[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] ChromeOS Doesn’t Always Use SSL During Startup [CVE-2017-15397]
- From: Nightwatch Cybersecurity Research <research AT nightwatchcybersecurity.com>
- Subject: [FD] ChromeOS Doesn’t Always Use SSL During Startup [CVE-2017-15397]
- Date: Mon, 1 Jan 2018 11:05:14 -0500
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) firstname.lastname@example.org header.s=20150623 header.b=0eTwmBv2; spf=pass (google.com: domain of fulldisclosure-bounces AT seclists.org designates 22.214.171.124 as permitted sender) smtp.mailfrom=fulldisclosure-bounces AT seclists.org
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-unsubscribe:list-id:precedence:subject:to:message-id :date:from:mime-version:dkim-signature:delivered-to :arc-authentication-results; bh=cSPzW4FcDtvG8fDH5v/yjxBcmj7IKAA72XS1RvKUfqk=; b=FMN7ed7dVWq4u88b90I+2YSiWyLihLXEB0E0ZO+3fRaI9/lmvyVch0noMH2nGc5yKN F3OfXxz2kdfc0VEj8UlbeXRW/+X0rHI4ukjHgu/LsRrxtWxflYmVCRaZb1uVF2SseknZ kt0mDqkWCoMfkyiOdnJshjHLADBsJznZkd+Hj3aczzQffDu/dlYWq/Je+Z1zY1kBwXtu /aLKFB5TC/hgzMdqD3aCEpCIeDQw876G6h6sYG+f2pEKAZJlrMEav27iIFDiARG1M4IG CKpLdalcqD/CzfeHZA887dxaLssoTLWanupgPCVnDUNhy4DHfQEQhWMjuWOqksNNm/F3 acYQ==
- Arc-seal: i=1; a=rsa-sha256; t=1514955974; cv=none; d=google.com; s=arc-20160816; b=zEKrQVMJtOqNVFkLEUnhpAKdsJTM0GOihXk1rk+N8KOAU87vmgVlIZxQM8VdLqpGob jjxAhovPG/Ri9464Aaiqsfjtr/LL0sxHYZo32k6i4iS73pu4ToTCYPOT5qu/GK+J0OII MNhT2m+ufRXCLOw/+rUomyUpDFB4mhuk0FxYVopLBu0D4HnrM094epVDP/ZOi0dH/CCc igOh83gXY11lEdpxxMIU+KZHUZ83wVOVqFdfriZ6o0HstBh2+S5Cd8r1Hd3KqmORtfHK UQ6N1XE7JO299GaKbVoohYhjPJuXMfAoje7+hFBfq+CvzXlPjjiAJyC9lIsv5To8zVR3 OClw==
- Sender: "Fulldisclosure" <fulldisclosure-bounces AT seclists.org>
- To: fulldisclosure AT seclists.org
[Original at: https://wwws.nightwatchcybersecurity.com/2018/01/01/chromeos-doesnt-always-use-ssl-during-startup-cve-2017-15397/]
ChromeOS did not use SSL in all network calls originating from the
ChromeVox component during startup. This could potentially have
allowed an MITM attacker to inject content into ChromeOS or crash the
device. The vendor (Google) fixed this issue in Chrome M62. Google has
assigned CVE-2017-15397 to track this issue.
ChromeOS is the operating system developed by Google that runs on
ChromeBook devices. It is build on top of Linux and around the Chrome
By monitoring network traffic using a proxy we noticed that some
network calls originating from the ChromeVox component did not use
SSL. These calls occured during the startup process before a user
logged in. Because these calls did not use SSL, it would be possible
for an MITM attacker, in theory, to either inject their own content
into ChromeOS, or crash the device by sending a very large packet. We
did not conduct any follow-up testing to confirm either of these two
1. Setup a proxy with WiFi.
2. Switch ChromeOS device to use proxy.
3. Restart the device and on the login screen enable ChromeVox.
4. Observe calls to HTTP without SSL.
All testing was done on an Acer ChromeBook, running Chrome version
51.0.2704.106 *stable) and ChromeOS version 8172.62.0 (stable).
This issue was responsibly reported to the vendor via the Chromium bug
tracker. The vendor fixed this issue in ChromeOS release M62 and
assigned CVE-2017-15397 to track it.
CVE ID: CVE-2017-15397 -
Chromium Bug # 627300 -
This bug qualified for a bounty under the terms of the Google Chrome
Rewardsbounty program, and a bounty payment has been received.
Advisory written by Yakov Shafranovich.
2016-07-12: Initial report to the vendor
2017-09-18: Issue patched by the vendor
2017-10-26: CVE assigned by the vendor
2018-01-01: Public disclosure
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/