CVE-2024-10231

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Oct 22, 2024 / Updated: 28d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Type Confusion in V8 in Google Chrome prior to version 130.0.6723.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability is classified as having a High security severity by Chromium.

Impact

This vulnerability could allow an attacker to exploit heap corruption, which may lead to code execution or data manipulation. The potential impacts are severe: 1. Confidentiality Impact: High - There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. 2. Integrity Impact: High - There is a total loss of integrity or a complete loss of protection, resulting in the attacker being able to modify any/all data within the impacted component. 3. Availability Impact: High - There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component. An attacker could potentially gain unauthorized access to sensitive data, modify system files or data, or cause system crashes or denial of service.

Exploitation

There is no evidence that a public proof-of-concept exists. Threat Actor Lazarus Group (source:Cyber Security News Aggregator) has been identified as exploiting this vulnerability.

Patch

A patch is available. The vulnerability has been addressed in Google Chrome version 130.0.6723.69 and later. Users and administrators should update to this version or newer to mitigate the risk.

Mitigation

1. Update Google Chrome: Immediately update to version 130.0.6723.69 or later. 2. Enable automatic updates: Ensure that automatic updates are enabled for Google Chrome to receive security patches promptly. 3. User awareness: Educate users about the risks of visiting untrusted websites or opening suspicious HTML content. 4. Network segmentation: Implement proper network segmentation to limit the potential impact if exploitation occurs. 5. Web filtering: Use web filtering tools to block access to known malicious websites. 6. Vulnerability scanning: Regularly scan systems to identify outdated Chrome versions. 7. Principle of least privilege: Ensure users are not running with unnecessary elevated privileges when using Chrome. 8. Monitor for suspicious activity: Implement logging and monitoring to detect potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-10231

Oct 22, 2024 at 10:15 PM
First Article

Feedly found the first article mentioning CVE-2024-10231. See article

Oct 22, 2024 at 10:21 PM / VulDB Recent Entries
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209529)

Oct 23, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209528)

Oct 23, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209527)

Oct 23, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380762)

Oct 23, 2024 at 5:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 23, 2024 at 10:37 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 23, 2024 at 3:40 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 23, 2024 at 9:45 PM
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Google Chrome chrome-130.0.6723.69
+null more

Links to Threat Actors

Lazarus Group
+null more

Vendor Advisory

Stable Channel Update for Desktop
This update includes 3 security fixes. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

References

Long Term Support Channel Update for ChromeOS
A new LTS-126 version 126.0.6478.257 (Platform Version: 15886.82.0), is being rolled out for most ChromeOS devices. This version includes selected security fixes including: 375123371 Critical CVE-2024-10487 Out of bounds write in Dawn 372269618 High CVE-2024-10231 Type Confusion in V8 371011220 High CVE-2024-10229 Inappropriate implementation in Extensions 40076120 Medium CVE-2024-9958 Inappropriate implementation in PictureInPicture 328278718 Medium CVE-2024-9963 Insufficient data validation in Downloads Release notes for LTS-126 can be found here Want to know more about Long-term Support? Click here Giuliana Pritchard Google ChromeOS
Stable Channel Update for ChromeOS / ChromeOS Flex
ChromeOS Vulnerability Rewards Program Reported Bug Fixes: Beta Specific: ChromeOS Beta Help Community
Stable Channel Update for ChromeOS / ChromeOS Flex
ChromeOS Vulnerability Rewards Program Reported Bug Fixes: Beta Specific: ChromeOS Beta Help Community
See 2 more references

News

Multiple vulnerabilities in Prisma Access Browser
A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Python3-wxPython, Libsoup, NodeJS-Electron, and more updates for SUSE
SUSE Linux has announced the release of multiple security updates, which include a moderate update for python3-wxPython, libsoup, libnghttp2, nodejs-electron, icinga2, rclone, libvirt, wget, libsoup-2_4-1-2.74.3-4.1, gio-branding-upstream, as well as an important security update for Apache2: These are all security issues fixed in the nodejs-electron-31.7.4-1.1 package on the GA media of openSUSE Tumbleweed.
freebsd 6b591e05-971c-4077-8ae4-1310554971b7: electron31 -- multiple vulnerabilities
Development Last Updated: 11/15/2024 CVEs: CVE-2024-10229 , CVE-2024-10487 , CVE-2024-10231
electron31 -- multiple vulnerabilities
Patch Tuesday November 2024 - 3 Zero Days!
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. Of this months patches only 8 are critical and 88 important.
See 67 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI