On August 19, Microsoft released technical details about a critical ChromeOS vulnerability that could be used to launch DoS attacks and remote code execution.
CVE-2022-2587 (CVSS score 9.8) is described as an entry out of range and has been fixed. The issue was found in the CRAS (ChromiumOS Audio Server) component and could be caused by corrupted metadata associated with songs.
CRAS sits between the operating system and ALSA (Advanced Linux Sound Architecture) to route sound to connected peripherals.
According to the researchers, the server contained a function that did not validate the user-provided “identity” argument, resulting in a buffer overflow on the heap. This could allow a cybercriminal to execute code remotely. The vulnerable component contains a method that extracts an “identity” from the metadata representing the song title. An attacker could exploit the vulnerability by modifying the audio metadata.
According to Microsoft, the problem can be exploited either from a browser or via Bluetooth. In both cases, the vulnerable function is called when the metadata changes, such as when a new song is played, either in the browser or via a paired Bluetooth device.
According to a Microsoft report, CVE-2022-2587 allows a DoS attack or remote code execution. However, it is possible to allocate and release fragments by manipulating media metadata. In this case, the attacker needs to associate the exploit with other vulnerabilities in order to successfully execute any arbitrary code.
Google already fixed the vulnerability in June. In addition, Microsoft found no signs of exploitation of the problem in attacks.