Zero-Day Vulnerability in WebRTC

In order to fix a zero-day vulnerability, Google has published updated versions of its Chrome browser for Windows and Android. Versions 103.0.5060.114 for Windows and 103.0.5060.71 for Android both have fixes for the vulnerability.

A heap buffer overflow flaw, or high-severity vulnerability (CVE-2022-2294), happens when data is transferred to a fixed-length memory buffer that is unable to accommodate the data. This vulnerability often has a variety of effects, such as denial-of-service attacks or, in certain situations, arbitrary code execution, if it is exploited.

The developers have fixed the risky zero-day vulnerability that is utilized in real cyberattacks in this release. For 2022, this is the fourth zero-day vulnerability. Google is aware of the existence and use of exploits in cybercriminal efforts, and this flaw is logged as CVE-2022-2294. A typical buffer overflow issue, zero-day impacts the WebRTC (Web Real-Time Communications) component. On 2022 July1, Jan Vojtesek of the Avast Threat Intelligence team reported the vulnerability.

 

WebRTC (Web Real-Time Communications)

WebRTC, provides facility to add real-time communication features to applications built on top of open standards. It enables developers to create effective voice- and video-communication solutions by enabling the exchange of video, speech, and generic data between peers. Both native clients for all major platforms and modern browsers support the technology. All of the major browsers support the WebRTC technologies as standard JavaScript APIs that are implemented as an open web standard.

Google states that it is “aware that a CVE-2022-2294 attack exists in the wild. Until a patch has been made available to the vast majority of users, access to bug details and links may remain restricted. If the restriction is in a third-party library that other projects also rely on but haven’t yet rectified, we’ll keep the limits as well.” Only the high severity heap-based buffer overflow flaw in the WebRTC (Web Real-Time Communications) component is known at this time. Due to security concerns, Google won’t reveal the full scope of the problem until the majority of users have updated. Such flaws frequently allow users to run arbitrary code or get out of the browser’s security sandbox, and interested researchers should keep an eye out for future Google releases.

The issue, designated CVE-2022-2294, pertains to a heap overflow vulnerability in the WebRTC component, which enables real-time audio and video communication in browsers without the need to download or install plugins.

When data is rewritten in the memory’s heap area, a heap buffer overflow, also known as a heap overrun or heap smashing, results. This can cause arbitrary code execution or a denial-of-service (DoS) problem. It is possible to exploit heap-based overflows to overwrite function pointers that may be present in memory and point to the attacker’s code. Any other security service can frequently be compromised when the result is arbitrary code execution.

 

Remediation Action

Since this zero-day vulnerability is of high severity, users are advised to install the most recent Google Chrome version in order to prevent exploitation. Users are strongly advised to update to version 103.0.5060.114 for Windows, macOS, and Linux, and to version 103.0.5060.71 for Android in order to safeguard themselves from any potential threat. Additionally, users of Microsoft Edge, Opera, Brave, Vivaldi, and other browsers are urged to implement the improvements as soon as they become available.