CVE-2024-10230

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Oct 22, 2024 / Updated: 28d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Type Confusion in V8 in Google Chrome prior to version 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability is classified as a Type Confusion issue, specifically related to Access of Resource Using Incompatible Type. The vulnerability has been assigned a high severity rating by Chromium.

Impact

This vulnerability could allow an attacker to exploit heap corruption, which is a serious security issue. Heap corruption can lead to various severe consequences, including: 1. Code execution: An attacker might be able to execute arbitrary code on the affected system. 2. Information disclosure: Sensitive data stored in memory could potentially be exposed. 3. Denial of Service: The application could crash or become unresponsive. 4. Privilege escalation: In some cases, an attacker might be able to gain elevated privileges on the system. The attack vector is via a crafted HTML page, which means it could be exploited by tricking a user into visiting a malicious website or by compromising a legitimate website to serve the malicious HTML. The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity level. The attack vector is network-based, requires low attack complexity, no privileges, and user interaction. The impact on confidentiality, integrity, and availability is high.

Exploitation

There is no evidence that a public proof-of-concept exists. Threat Actor Lazarus Group (source:Cyber Security News Aggregator) has been identified as exploiting this vulnerability.

Patch

A patch is available for this vulnerability. Google Chrome version 130.0.6723.69 and later versions have addressed this issue. Users and administrators should update to this version or later to mitigate the vulnerability.

Mitigation

1. Update Google Chrome: The most effective mitigation is to update Google Chrome to version 130.0.6723.69 or later. 2. Enable automatic updates: Ensure that automatic updates are enabled for Google Chrome to receive security patches promptly. 3. User awareness: Educate users about the risks of visiting untrusted websites or clicking on suspicious links. 4. Network security: Implement network-level protections such as web filtering and intrusion detection systems to help identify and block potential exploit attempts. 5. Principle of least privilege: Ensure that users are not running with administrative privileges during day-to-day operations to minimize the potential impact of successful exploits. 6. Sandboxing: If possible, run Chrome in a sandboxed environment to add an extra layer of protection against potential exploits. 7. Monitoring: Implement robust logging and monitoring to detect any unusual activities that could indicate exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-10230

Oct 22, 2024 at 10:15 PM
First Article

Feedly found the first article mentioning CVE-2024-10230. See article

Oct 22, 2024 at 10:21 PM / VulDB Recent Entries
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209529)

Oct 23, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209528)

Oct 23, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209527)

Oct 23, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380762)

Oct 23, 2024 at 5:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 23, 2024 at 10:37 AM
Threat Intelligence Report

CVE-2024-10230 is a critical vulnerability identified in the browser’s Extensions and V8 JavaScript engine, which could allow attackers to execute arbitrary code and gain unauthorized access to user data. The details provided do not specify if it has been exploited in the wild, nor do they mention any proof-of-concept exploits, mitigations, detections, or patches available. Additionally, there is no information regarding potential downstream impacts to other third-party vendors or technology. See article

Oct 24, 2024 at 2:20 PM
Attribution of Exploits

The vulnerability is known to be exploited by Lazarus Group. See article

Oct 24, 2024 at 10:01 PM / Cyber Security News Aggregator
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Google Chrome chrome-130.0.6723.69
+null more

Links to Threat Actors

Lazarus Group
+null more

Vendor Advisory

Stable Channel Update for Desktop
This update includes 3 security fixes. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

References

Stable Channel Update for ChromeOS / ChromeOS Flex
ChromeOS Vulnerability Rewards Program Reported Bug Fixes: Beta Specific: ChromeOS Beta Help Community
Stable Channel Update for ChromeOS / ChromeOS Flex
ChromeOS Vulnerability Rewards Program Reported Bug Fixes: Beta Specific: ChromeOS Beta Help Community
Stable Channel Update for Desktop
This update includes 3 security fixes. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
See 1 more references

News

Multiple vulnerabilities in Prisma Access Browser
A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Patch Tuesday November 2024 - 3 Zero Days!
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. Of this months patches only 8 are critical and 88 important.
PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates (Severity: HIGH)
Product Confidentiality HIGH Product Integrity HIGH
freebsd 96266fc9-1200-43b5-8393-4c51f54bb7bc: electron32 -- multiple vulnerabilities
Testing Last Updated: 11/8/2024 CVEs: CVE-2024-10229 , CVE-2024-10487 , CVE-2024-10231 , CVE-2024-10230
electron32 -- multiple vulnerabilities
See 61 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI