CVE-2015-6762 in Chrome
Summary
by MITRE
The CSSFontFaceSrcValue::fetch function in core/css/CSSFontFaceSrcValue.cpp in the Cascading Style Sheets (CSS) implementation in Blink, as used in Google Chrome before 46.0.2490.71, does not use the CORS cross-origin request algorithm when a font's URL appears to be a same-origin URL, which allows remote web servers to bypass the Same Origin Policy via a redirect.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/22/2022
The vulnerability identified as CVE-2015-6762 resides within the Blink rendering engine's CSS implementation, specifically in the CSSFontFaceSrcValue::fetch function located at core/css/CSSFontFaceSrcValue.cpp. This flaw represents a critical security issue that undermines the fundamental web security model by enabling malicious remote servers to circumvent the Same Origin Policy through a sophisticated redirect mechanism. The vulnerability affects Google Chrome versions prior to 46.0.2490.71, making it a significant concern for users running outdated browser versions. The issue stems from the improper handling of cross-origin resource requests when font URLs appear to originate from the same domain, creating a dangerous loophole in the browser's security architecture.
The technical flaw manifests when a web server responds to a font request with a redirect to a different origin, yet the browser's implementation fails to properly validate the final destination of the redirect chain. This occurs because the CSSFontFaceSrcValue::fetch function incorrectly assumes that if a URL initially appears to be same-origin, it remains safe to bypass CORS checks. The function does not properly implement the CORS cross-origin request algorithm, which should be invoked regardless of the initial URL's apparent origin. This misimplementation allows an attacker to host malicious content on a different domain while still being able to load it as a font resource in a victim's browser, effectively bypassing the security protections that should prevent such cross-origin access.
The operational impact of this vulnerability extends far beyond simple privilege escalation, creating a vector for several sophisticated attacks that leverage the bypassed Same Origin Policy. Attackers can exploit this weakness to perform cross-origin resource leakage, potentially accessing sensitive resources that should be restricted to specific origins. The vulnerability can be particularly dangerous in environments where users access multiple web applications or services that rely on proper origin isolation. According to CWE-346, this represents a weakness in the validation of the origin of a resource, while the ATT&CK framework would classify this under T1056.001 for Input Injection and T1566 for Phishing, as attackers could craft malicious redirects to harvest data or perform unauthorized operations. The vulnerability essentially allows an attacker to establish unauthorized communication channels between different origins, potentially enabling data exfiltration or cross-site request forgery attacks.
Mitigation strategies for CVE-2015-6762 primarily focus on immediate browser updates to versions that properly implement CORS checks for all font requests regardless of their initial appearance. Users should ensure they are running Chrome version 46.0.2490.71 or later, which contains the necessary patches to address the vulnerability. Organizations should implement comprehensive browser update policies and consider deploying automated patch management systems to ensure all users maintain current browser versions. Additionally, web developers should be aware that this vulnerability affects how browsers handle font loading and should review their font hosting strategies to avoid relying on potentially malicious redirect chains. Network administrators can also implement monitoring solutions to detect unusual redirect patterns that might indicate exploitation attempts, while security teams should consider this vulnerability when conducting penetration testing or security assessments of web applications that rely heavily on custom font resources. The fix implemented in the patched version ensures that all font requests undergo proper CORS validation regardless of their initial URL characteristics, thereby restoring the intended security boundaries between different origins.