CVE-2016-1636 in Chromeinfo

Summary

by MITRE

The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before 49.0.2623.75 relies on memory-cache information about integrity-check occurrences instead of integrity-check successes, which allows remote attackers to bypass the Subresource Integrity (aka SRI) protection mechanism by triggering two loads of the same resource.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/09/2022

The vulnerability identified as CVE-2016-1636 represents a critical flaw in Google Chrome's implementation of Subresource Integrity (SRI) protection mechanism within the WebKit rendering engine. This issue specifically affects Chrome versions prior to 49.0.2623.75 and demonstrates how improper handling of memory cache information can undermine security controls designed to protect against malicious resource substitution. The flaw exists in the PendingScript::notifyFinished function located in WebKit/Source/core/dom/PendingScript.cpp, which is responsible for managing script loading and integrity verification processes.

The technical root cause of this vulnerability stems from the function's reliance on memory-cache information regarding integrity-check occurrences rather than tracking actual integrity-check successes. This design flaw creates a window where attackers can exploit the system's caching behavior to bypass SRI protections. When the same resource is loaded multiple times, the function incorrectly interprets cached information about previous integrity checks rather than verifying the current state of the resource. This misinterpretation allows malicious actors to manipulate the loading process and potentially substitute legitimate resources with compromised versions without triggering the expected integrity validation mechanisms.

The operational impact of this vulnerability is significant as it effectively neutralizes the Subresource Integrity protection that web developers rely upon to ensure that resources loaded from third-party domains have not been tampered with during transit. Attackers can leverage this weakness to execute code injection attacks by replacing legitimate JavaScript libraries with malicious versions that maintain the same integrity hash, thus evading detection mechanisms. The vulnerability particularly affects scenarios where developers implement SRI to protect against supply chain attacks, making it a serious concern for web applications that depend on external resources. This flaw enables attackers to bypass security controls that are fundamental to modern web security practices and represents a direct violation of the principle of least privilege in resource loading.

Mitigation strategies for this vulnerability require immediate patching of affected Chrome versions to 49.0.2623.75 or later, where the underlying implementation has been corrected to properly track integrity-check successes rather than relying on potentially stale cache information. Organizations should also implement additional monitoring of resource loading patterns and integrity verification failures to detect potential exploitation attempts. Security teams should review their SRI implementation practices to ensure that they are not relying on potentially vulnerable configurations. From a defensive perspective, this vulnerability aligns with ATT&CK technique T1555.003 related to credential access through web-based attacks and CWE-284 which addresses improper access control in software systems. The fix implemented by Google demonstrates proper security engineering practices by ensuring that integrity verification mechanisms rely on actual validation results rather than cached state information that may become inconsistent or outdated.

Reservation

01/12/2016

Disclosure

03/05/2016

Moderation

accepted

Entry

VDB-81162

CPE

ready

EPSS

0.01836

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!