CVE-2015-6785 in Chromeinfo

Summary

by MITRE

The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Google Chrome before 47.0.2526.73 accepts an x.y hostname as a match for a *.x.y pattern, which might allow remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging a policy that was intended to be specific to subdomains.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 06/28/2022

The vulnerability identified as CVE-2015-6785 resides within the Content Security Policy implementation of Google Chrome, specifically within the WebKit rendering engine's CSPSource::hostMatches function. This flaw represents a critical bypass issue that undermines the security controls designed to restrict content access based on hostname patterns. The vulnerability affects Chrome versions prior to 47.0.2526.73 and demonstrates a fundamental flaw in how wildcard pattern matching is handled within the CSP framework, creating potential security gaps that malicious actors could exploit.

The technical root cause of this vulnerability stems from an improper implementation of wildcard hostname matching logic. When a Content Security Policy is configured with a pattern such as .x.y, the system should only match subdomains that are directly under the specified domain structure. However, the flawed implementation accepts an x.y hostname as matching the .x.y pattern, creating an unintended bypass mechanism. This occurs because the matching algorithm does not properly validate the hierarchical structure of domain names, allowing a direct match to occur when it should only accept subdomain patterns. The flaw essentially creates a security boundary that is weaker than intended, as it permits access that should have been restricted to subdomain-specific policies.

The operational impact of this vulnerability is significant for web applications that rely on Content Security Policy to enforce access controls and prevent cross-site scripting attacks. Attackers could potentially exploit this weakness by crafting malicious content or redirecting traffic in ways that leverage the improper pattern matching to bypass intended security restrictions. The vulnerability is particularly concerning because it operates in opportunistic circumstances, meaning that the attack vector may not be immediately obvious but could be exploited under specific conditions. This makes it especially dangerous in environments where CSP policies are used to protect sensitive applications or user data, as the bypass could allow attackers to access resources that should be restricted to specific subdomain patterns.

This vulnerability maps to CWE-22, which describes improper limitation of a pathname to a restricted directory, and CWE-264, which covers permissions, privileges, and access controls. The issue also aligns with ATT&CK technique T1068, which involves exploiting vulnerabilities to gain elevated privileges or bypass access controls. The improper hostname matching creates a path traversal-like condition where the security boundary is weakened, allowing unauthorized access to resources that should be protected by CSP policies. Organizations using Chrome-based applications or web services that depend on CSP for security enforcement would be particularly vulnerable to this type of attack, as the flaw enables attackers to circumvent the intended scope of security policies.

The recommended mitigation involves upgrading to Google Chrome version 47.0.2526.73 or later, where the CSP matching logic has been corrected to properly enforce domain hierarchy constraints. Additionally, security administrators should review existing Content Security Policies to ensure they do not rely on potentially vulnerable wildcard patterns, and consider implementing additional security controls such as strict CSP headers, regular security audits, and monitoring for unusual access patterns that might indicate exploitation attempts. The fix implemented by Google addresses the core matching algorithm to ensure that wildcard patterns properly validate domain hierarchy, preventing the inappropriate acceptance of direct hostname matches for subdomain-specific patterns.

Reservation

08/31/2015

Disclosure

12/05/2015

Moderation

accepted

Entry

VDB-79368

CPE

ready

EPSS

0.01721

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!