CVE-2016-5137 in Chromeinfo

Summary

by MITRE

The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report. NOTE: this vulnerability is associated with a specification change after CVE-2016-1617 resolution.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/09/2022

The vulnerability described in CVE-2016-5137 resides within the Content Security Policy implementation of the Blink rendering engine used in Google Chrome browsers prior to version 52.0.2743.82. This flaw specifically affects the CSPSource::schemeMatches function located in WebKit/Source/core/frame/csp/CSPSource.cpp, which is responsible for determining whether a given URL matches the policy directives defined in Content Security Policy headers. The issue stems from an incomplete implementation of scheme matching logic that fails to properly handle the relationship between secure and insecure protocol variants, particularly when dealing with HTTP and HTTPS as well as WebSocket and WebSocket Secure protocols. This inconsistency creates a potential information disclosure vulnerability that could be exploited by remote attackers to infer user browsing behavior.

The technical flaw manifests when the Content Security Policy engine evaluates whether a URL should be allowed based on the configured policy rules. Specifically, the implementation fails to correctly apply http:80 policies to https:443 URLs and ws:80 policies to wss:443 URLs. This means that when a website implements a Content Security Policy that includes restrictions on http or ws schemes, the policy enforcement mechanism does not properly consider that these restrictions should also apply to their secure counterparts. The vulnerability creates a scenario where the browser's CSP reporting mechanism can reveal information about whether a user has visited a particular HSTS-enabled website, as the policy enforcement behavior differs between secure and insecure variants of the same protocol.

The operational impact of this vulnerability is significant for user privacy and security, as it enables attackers to perform tracking and fingerprinting activities through CSP report analysis. When a user visits an HSTS website, the browser generates CSP violation reports that contain information about the URLs that triggered policy violations. Attackers can exploit the inconsistent scheme matching behavior to determine whether specific websites have been visited by analyzing these CSP reports. This creates a privacy leak where the secure nature of HSTS websites can be compromised through indirect means, undermining the security guarantees that HSTS is designed to provide. The vulnerability is particularly dangerous because it operates at the browser level and can be exploited without requiring user interaction or explicit malicious code execution.

This vulnerability is classified under CWE-200, Information Exposure, and aligns with ATT&CK technique T1566.001 for credential access through web application attacks. The flaw represents a breakdown in the principle of least privilege and proper access control enforcement within the browser's security model. The issue is further connected to CVE-2016-1617, indicating that this vulnerability emerged from a specification change following the resolution of an earlier related issue. Organizations should understand that this vulnerability represents a gap in the Content Security Policy implementation that could be exploited by sophisticated attackers to build detailed profiles of user browsing patterns and potentially identify sensitive websites that users have visited. The vulnerability highlights the importance of comprehensive testing of security mechanisms, particularly those that deal with protocol variations and secure communications.

The recommended mitigations include upgrading to Google Chrome version 52.0.2743.82 or later, which contains the patched implementation of the CSP scheme matching logic. Additionally, web developers should ensure that their Content Security Policy implementations account for the secure protocol variants and consider using more restrictive policies that explicitly define both secure and insecure scheme requirements. Security teams should monitor CSP violation reports for unusual patterns that might indicate exploitation attempts and implement additional layers of protection such as proper HSTS headers and secure communication practices. The vulnerability underscores the critical need for thorough testing of security mechanisms and proper implementation of security specifications to prevent information leakage through indirect means.

Reservation

05/31/2016

Disclosure

07/23/2016

Moderation

accepted

Entry

VDB-90245

CPE

ready

EPSS

0.01283

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!