CVE-2016-1636 in Chrome
Summary
by MITRE
The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before 49.0.2623.75 relies on memory-cache information about integrity-check occurrences instead of integrity-check successes, which allows remote attackers to bypass the Subresource Integrity (aka SRI) protection mechanism by triggering two loads of the same resource.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/09/2022
The vulnerability identified as CVE-2016-1636 represents a critical flaw in Google Chrome's implementation of Subresource Integrity (SRI) protection mechanism within the WebKit rendering engine. This issue specifically affects Chrome versions prior to 49.0.2623.75 and demonstrates how improper handling of memory cache information can undermine security controls designed to protect against malicious resource substitution. The flaw exists in the PendingScript::notifyFinished function located in WebKit/Source/core/dom/PendingScript.cpp, which is responsible for managing script loading and integrity verification processes.
The technical root cause of this vulnerability stems from the function's reliance on memory-cache information regarding integrity-check occurrences rather than tracking actual integrity-check successes. This design flaw creates a window where attackers can exploit the system's caching behavior to bypass SRI protections. When the same resource is loaded multiple times, the function incorrectly interprets cached information about previous integrity checks rather than verifying the current state of the resource. This misinterpretation allows malicious actors to manipulate the loading process and potentially substitute legitimate resources with compromised versions without triggering the expected integrity validation mechanisms.
The operational impact of this vulnerability is significant as it effectively neutralizes the Subresource Integrity protection that web developers rely upon to ensure that resources loaded from third-party domains have not been tampered with during transit. Attackers can leverage this weakness to execute code injection attacks by replacing legitimate JavaScript libraries with malicious versions that maintain the same integrity hash, thus evading detection mechanisms. The vulnerability particularly affects scenarios where developers implement SRI to protect against supply chain attacks, making it a serious concern for web applications that depend on external resources. This flaw enables attackers to bypass security controls that are fundamental to modern web security practices and represents a direct violation of the principle of least privilege in resource loading.
Mitigation strategies for this vulnerability require immediate patching of affected Chrome versions to 49.0.2623.75 or later, where the underlying implementation has been corrected to properly track integrity-check successes rather than relying on potentially stale cache information. Organizations should also implement additional monitoring of resource loading patterns and integrity verification failures to detect potential exploitation attempts. Security teams should review their SRI implementation practices to ensure that they are not relying on potentially vulnerable configurations. From a defensive perspective, this vulnerability aligns with ATT&CK technique T1555.003 related to credential access through web-based attacks and CWE-284 which addresses improper access control in software systems. The fix implemented by Google demonstrates proper security engineering practices by ensuring that integrity verification mechanisms rely on actual validation results rather than cached state information that may become inconsistent or outdated.