Vulnerability ID 5609

Google Chrome up to 19.0.1084.57 Matroska Container Integer buffer overflow

Google
CVSSv3 Temp ScoreCurrent Exploit Price (≈)
7.0$5k-$10k

A vulnerability, which was classified as critical, has been found in Google Chrome up to 19.0.1084.57. This issue affects an unknown function of the component Matroska Container. The manipulation with an unknown input leads to a buffer overflow vulnerability (integer). Impacted is confidentiality, integrity, and availability.

The weakness was shared 06/26/2012 by Jüri Aedla (Inferno) with Google Chrome Security Team as 132779. The advisory is shared for download at code.google.com. The vendor cooperated in the coordination of the public release. The identification of this vulnerability is CVE-2012-2834 since 05/19/2012. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are unknown but a public exploit is available.

We expect the 0-day to have been worth approximately $50k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 59750 (FreeBSD : chromium -- multiple vulnerabilities (ff922811-c096-11e1-b0f4-00262d5ed8ee)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 120297 (Google Chrome Prior to 20.0.1132.43 Multiple Vulnerabilities).

Upgrading to version 20.0.1132.43 eliminates this vulnerability. The upgrade is hosted for download at google.com. Applying a patch is able to eliminate this problem. The bugfix is ready for download at gitorious.org. The problem might be mitigated by replacing the product with Mozilla Firefox, Microsoft Internet Explorer, Opera as an alternative. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at SecurityFocus (BID 54203), X-Force (76574), Secunia (SA49724) and Vulnerability Center (SBV-35801). googlechromereleases.blogspot.de is providing further details. Entries connected to this vulnerability are available at 5585, 5586, 5587 and 5588.

CVSSv3

Base Score: 7.3 [?]
Temp Score: 7.0 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C [?]
Reliability: High

CVSSv2

Base Score: 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) [?]
Temp Score: 5.9 (CVSS2#E:ND/RL:OF/RC:C) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Buffer overflow (CWE-189)
Local: No
Remote: Yes

Availability: No
Access: Public

Current Price Estimation: $50k-$100k (0-day) / $5k-$10k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 59750
Nessus Name: FreeBSD : chromium -- multiple vulnerabilities (ff922811-c096-11e1-b0f4-00262d5ed8ee)
Nessus File: freebsd_pkg_ff922811c09611e1b0f400262d5ed8ee.nasl
Nessus Family: FreeBSD Local Security Checks
OpenVAS ID: 71529
OpenVAS Name: FreeBSD Ports: chromium
OpenVAS File: freebsd_chromium17.nasl
OpenVAS Family: FreeBSD Local Security Checks
Qualys ID: 120297
Qualys Name: Google Chrome Prior to 20.0.1132.43 Multiple Vulnerabilities

Countermeasures

Recommended: Upgrade
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

Upgrade: Chrome 20.0.1132.43
Patch: gitorious.org
Alternative: Mozilla Firefox, Microsoft Internet Explorer, Opera

Timeline

05/19/2012 CVE assigned
06/26/2012 +38 days SecurityFocus entry assigned
06/26/2012 +1 days Vendor acknowledged
06/26/2012 +0 days Advisory disclosed
06/26/2012 +0 days Countermeasure disclosed
06/27/2012 +0 days VulDB entry created
06/27/2012 +0 days NVD disclosed
06/27/2012 +0 days OSVDB entry created
06/27/2012 +0 days VulnerabilityCenter entry assigned
08/06/2012 +40 days VulnerabilityCenter entry created
06/15/2014 +678 days VulnerabilityCenter entry updated
07/08/2015 +389 days VulDB entry updated

Sources

Advisory: 132779
Researcher: Jüri Aedla (Inferno)
Organization: Google Chrome Security Team
Status: Confirmed
Confirmation: code.google.com
Coordinated: Yes

CVE: CVE-2012-2834 (mitre.org) (nvd.nist.org) (cvedetails.com)

SecurityFocus: 54203 - Google Chrome Prior to 20.0.1132.43 Multiple Security Vulnerabilities
Secunia: 49724 - Google Chrome Multiple Vulnerabilities, Highly Critical
X-Force: 76574
Vulnerability Center: 35801 - Google Chrome Before 20.0.1132.43 Integer Overflow Allows Remote DoS, Medium
OSVDB: 83250 - FFmpeg / Libav matroska_parse_block Function Matroska Container Parsing Buffer Overflow

Misc.: googlechromereleases.blogspot.de
See also: 5585, 5586, 5587, 5588, 5589, 5591, 5592, 5593, 5598, 5599, 5600, 5601, 5602, 5603

Entry

Created: 06/27/2012
Updated: 07/08/2015
Entry: 97.5% complete