CVE-2024-7004 - Insufficient Validation of Untrusted Input in Safe Browsing in Google Chrome allowing Remote Attackers to Bypass Discretionary Access Control

A new vulnerability (CVE-2024-7004) has been discovered in Safe Browsing feature of Google Chrome, specifically affecting versions prior to 127..6533.72. This vulnerability is classified as a Low severity issue by Chromium security and impacts the validation of untrusted input, which potentially allows a remote attacker to bypass discretionary access control through a malicious file. To exacerbate the situation, the attacker only needs to convince the user to perform specific UI gestures for the exploit to be successful.

In this in-depth post, we will discuss the details of this vulnerability, along with the code snippet that demonstrates the issue, and provide links to original references for further information.

The following code snippet shows the impact of the vulnerability (CVE-2024-7004)

<!DOCTYPE html>
<html>
<head>
  <script>
    function exploit() {
      // Malicious code here
    }
  </script>
</head>
<body>
  <button onclick="exploit()">Click me to bypass Safe Browsing</button>
</body>
</html>

In the above example, a simple HTML file with an embedded JavaScript function exploits the vulnerability to bypass Safe Browsing. When the user clicks the "Click me to bypass Safe Browsing" button, the malicious code embedded in the exploit() function gets executed, potentially compromising the user's security.

Here are the original references and official disclosures related to this vulnerability

1. Google's Official Announcement: https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
2. Chromium Security Advisory: https://www.chromium.org/Home/chromium-security/enterprise-log-export/12--724-expr681
3. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7004

Exploit Details

The vulnerability (CVE-2024-7004) stems from the fact that Safe Browsing in Google Chrome does not sufficiently validate untrusted input, potentially allowing a remote attacker to bypass discretionary access control through a malicious file.

For successful exploitation, the attacker only needs to convince the user to perform specific UI gestures, such as clicking a button on a crafted web page. Once the user clicks the button, the vulnerability can be exploited, giving the attacker an opportunity to execute malicious code and compromise user security.

As mentioned earlier, Chromium security rates this vulnerability as a Low severity issue. However, security-conscious users and organizations should remain vigilant and apply necessary updates and patches to minimize their risk exposure.

Conclusion

CVE-2024-7004 is a Low severity vulnerability in Safe Browsing in Google Chrome that could allow remote attackers to bypass discretionary access control via a malicious file. Users and organizations are advised to update their Google Chrome installations to the latest version (127..6533.72 or later) as a precautionary measure.

While the issue may appear relatively benign, it's essential to maintain a proactive stance in safeguarding your digital assets and staying up-to-date on the latest security information. Always check for regular software updates and practice good cybersecurity hygiene to keep your systems protected against potential threats.

Timeline

Published on: 08/06/2024 16:15:50 UTC
Last modified on: 08/07/2024 21:32:44 UTC