Multiple vulnerabilities in Google ChromeOS TLS
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-5218 CVE-2023-42753 CVE-2023-40283 CVE-2023-23583 |
| CWE-ID | CWE-416 CWE-787 CWE-1281 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Chrome OS Operating systems & Components / Operating system |
| Vendor |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU81809
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-5218
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Site Isolation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsChrome OS: before 118.0.5993.86
External linkshttp://chromereleases.googleblog.com/2023/10/long-term-support-channel-update-for_24.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU81663
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-42753
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in the netfilter subsystem in Linux kernel. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsChrome OS: before 118.0.5993.86
External linkshttp://chromereleases.googleblog.com/2023/10/long-term-support-channel-update-for_24.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU79714
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-40283
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the l2cap_sock_release() function in net/bluetooth/l2cap_sock.c. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsChrome OS: before 118.0.5993.86
External linkshttp://chromereleases.googleblog.com/2023/10/long-term-support-channel-update-for_24.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Sequence of processor instructions leads to unexpected behavior
EUVDB-ID: #VU82351
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-23583
CWE-ID:
CWE-1281 - Sequence of Processor Instructions Leads to Unexpected Behavior
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an error related to processing of Sequence of processor instructions. A local user can execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsChrome OS: before 118.0.5993.86
External linkshttp://chromereleases.googleblog.com/2023/10/long-term-support-channel-update-for_24.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
