CVE-2024-2883 is a critical vulnerability found in ANGLE, a component of Google Chrome and Microsoft Edge. The vulnerability is exploitable via crafted HTML pages, allowing remote attackers to exploit heap corruption. The potential impact is high, enabling drive-by attacks leading to system compromise, with reports of active exploitation in the wild confirmed by the Chromium group.
CVE-2024-2883: Details
Description |
Use after free (UAF) in ANGLE in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE listing |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2883 |
Published |
26-Mar-2024, updated 29-Mar-2024 |
Severity |
Critical |
CISA KEV listing |
N/A |
Vulnerable software |
Google Chrome versions prior to 123.0.6312.86 Microsoft Edge versions prior 123.0.2420.65 |
Potential impact |
High. The vulnerability enables an attacker to create a specially crafted HTML page which can be used in drive-by attacks. Loading the webpage can lead to compromising the system. |
Exploited in the wild |
Yes, reported by the Chromium group as being actively exploited. |
Security advisories |
https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-2883 |
Analysis:
ANGLE (Almost Native Graphics Layer Engine) is a Chromium component that allows the execution of WebGL (Web Graphic Library) and OpenGL graphics, enabling rendering interactive 2D and 3D graphic within compatible browsers.
Use after free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program (source: Kaspersky).
This vulnerability potentially enables an attacker to create a specially crafted HTML page which can be used in drive-by attacks. Loading the webpage can lead to exploiting the vulnerability and compromising the system. Once exploited the vulnerability potentially allows attackers to access system resources with the user’s privileges.
CVE-2024-2883 is related to multiple Chrome vulnerabilities with similar mechanisms
- CVE-2024-2885: Use After Free In Dawn (Severity: High)
- CVE-2024-2886: Use after free in WebCodecs (Severity: High)
- CVE-2024-2887: Type Confusion in WebAssembly (Severity: High)
Morphisec Protection Mechanisms
Virtual Patching of the application by Automated Moving Target Defense (AMTD)
Visibility of vulnerable versions of Chrome
How Morphisec prevents the attack
Morphisec’s Automated Moving Target Defense (AMTD) implementation offers virtual patching protection for the vulnerability. Morphisec protects the web browsers and by application of AMTD negates the vulnerability itself by constantly re-arranging the attack surface during application load time. This protection is significant as AMTD application offers signatureless protection and is resistant to changing techniques of the attackers.
Morphisec’s Adaptive Exposure Management also provides clear visibility of the systems running vulnerable versions of the application to better prioritize the patching strategy.
Morphisec’s ability to protect against unpatched vulnerabilities is especially crucial given the ongoing NIST NVD crisis and lack of enriched CVE data.
Mitigation Recommendations
- Apply browser updates
- Ensure Morphisec protects all devices with chrome browsers