CVE-2020-6492 a use-after-free Vulnerability Fixed for Google Chrome Version 85
By Kashia Ingraham on October 8, 2020
Introduction
Google Chrome Version 85 has made its way to the stable version the last week of August 2020 making 20 security fixes [1]. There were 14 vulnerabilities patches that was discovered by external researchers. None of flaws were deemed a rating of critical risk, however there was a vulnerability that was found that Google has yet to mention but was published from Cisco as a high severity flaw Common Vulnerabilities and Exposures (CVE)-2020-6492 a use-after-free vulnerability which can ultimately lead to arbitrary code execution, was found within Chrome 84.0.4143.7 (Canary), Chrome 84.0.4136.5 (Dev), and Chrome 81.0.4044.138 (Stable), which has been addressed in Chrome 85.
Vulnerability
CVE-2020-6492 a use-after-free vulnerability that exists in ANGLE, a compatibility layer between OpenGL and Direct3D that Chrome uses on Windows systems [2]. In normal operations in the program it would allocate the memory and store it. A pointer is then created to access the memory. From there the memory is deleted making the pointer invalid for use, which then is passed back to the memory manager as a variable point. In the use-after-free vulnerability after memory is deleted instead of the pointer being invalid it continues to use the pointer therefore allowing the attacker to access that free memory which may contain content that was intended to be deleted. In the code of the ANGLE function there is a line called “State::syncTextures” with the responsibility to check if the texture has any DirtyBits. During this process there is a crash within the code when the texture is trying to syncState leading to the “Texture::syncState” function. This crash is caused from the use-after-free attempt that is being made to access memory after “it has been freed” in between the functions of “drawArraysInstanced” and “SafeDelete” built within the code giving the attacker the ability to exploit and create arbitrary code [3].
Impact
The National Vulnerability Database (NVD) has scored this CVE as 8.3 severity [4]. As mentioned previously this vulnerability was found in all Chrome Version 84. The memory in the WebGL is not properly handling the objects therefore an attacker would be able to execute code in a way that would create an after free state which would stem in attempting to access the memory causing a program to crash or gain full access to perform arbitrary code.
Mitigation
The flaw was found and reported by Cisco for the vulnerability in the previous versions of Google Chrome and was fixed in the Beta channel of Chrome 85 and has officially rolled into the Stable version of Chrome 85.0.4149.0 within the last week of August 2020 [5].
Relevance
Google Chrome is one of the most popular web browsers used. With a use-after-free vulnerability still running on an older version, places users at risk if an update to the latest version of Chrome has not been completed.
References
[1] Chrome releases, “Stable Channel Update for Desktop”, August 25, 2020. https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html
[2] Security week, “Chrome 85 Released With 20 Security Fixes”, August 26, 20202.
https://www.securityweek.com/chrome-85-released-20-security-fixes
[3] Talos Intelligence, “Google Chrome WebGL code execution vulnerability”, August 24, 2020.
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1085
[4] National Vulnerability Database, “CVE-2020-6492”, August 30, 2020.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-6492
[5] Threat Post, “Google Fixes High-Severity Chrome Browser Code Execution Bug”, August 24, 2020.
https://threatpost.com/google-fixes-high-severity-chrome-browser-code-execution-bug/158600/