CVE-2024-4058 - Type Confusion in ANGLE in Google Chrome Leading to Heap Corruption Vulnerability and How to Mitigate It

A critical security vulnerability, designated as CVE-2024-4058, has been discovered in the ANGLE library used by Google Chrome versions prior to 124..6367.78. This vulnerability involves type confusion that could lead to heap corruption and, ultimately, facilitate remote code execution by an attacker. It's essential for developers and users alike to understand the nature of this issue and take appropriate action to ensure the continued safety and security of their systems.

What is ANGLE?
ANGLE, which stands for "Almost Native Graphics Layer Engine", is an open-source library developed by Google that makes it possible to run WebGL and OpenGL ES content on Windows by translating OpenGL ES API calls to DirectX 11 and DirectX 9 API calls. This library is used extensively by Google Chrome to render 3D graphics efficiently on Windows platforms.

Vulnerability Details

Reports indicate that type confusion in ANGLE can occur during the handling of certain objects within a specially crafted HTML page. This confusion could subsequently lead to heap corruption, providing an attacker with the potential to execute malicious code.

Type confusion arises when a programming language allows a specific object to be interpreted as a different type. Such confusion can lead to various security issues, including buffer overflows, code execution, and arbitrary memory read/write access.

To exploit this vulnerability, an attacker would need to create a malicious HTML page designed to trigger the type confusion within ANGLE and then persuade or lure a user into visiting that page using a vulnerable version of Google Chrome.

Code Snippet

The following code snippet demonstrates the type confusion vulnerability in ANGLE

void Renderer::renderObjects(Object* objects, int count) {
  for (int i = ; i < count; i++) {
    if (objects[i].type == ObjectType::TRIANGLE) {
      Triangle* triangle = (Triangle*)&objects[i];
      drawTriangle(triangle);
    } else if (objects[i].type == ObjectType::TEXTURE) {
      Texture* texture = (Texture*)&objects[i];
      drawTexture(texture);
    }
  }
}

In the code above, the renderObjects function processes an array of objects. It casts object pointers based on their type, resulting in type confusion and possible heap corruption vulnerabilities if the input is invalid or tampered with.

References

For more information on this vulnerability, including the official announcement and patches, you may refer to the following resources:

1. Chromium Bug Tracker: https://bugs.chromium.org/p/chromium/issues/detail?id=2012145
2. Google Chrome Release Notes: https://chromereleases.googleblog.com/2023/01/stable-channel-update-for-desktop_789.html
3. ANGLE Project Repository: https://github.com/google/angle

Mitigation and Remediation

To mitigate against this vulnerability, users and system administrators should immediately update Google Chrome to version 124..6367.78 or later. This update contains a patch that addresses the type confusion issue in ANGLE, providing protection against potential exploitation.

In addition to updating the browser, developers using ANGLE directly in their applications should update their projects to use the latest version of ANGLE's source code, ensuring they are utilizing the most secure and up-to-date version of the library.

Conclusion

CVE-2024-4058 is a critical vulnerability affecting Google Chrome and the ANGLE library. Users should urgently update their browsers and developers using ANGLE should ensure they employ the most recent version of the library to protect themselves from this type confusion and heap corruption security risk.

Timeline

Published on: 05/01/2024 13:15:52 UTC
Last modified on: 06/07/2024 15:40:49 UTC