Google has released updates to address six vulnerabilities in its Chrome browser. One of the six vulnerabilities ( CVE-2023-2136) is being exploited in the wild. Google has mentioned in the advisory that “an exploit for CVE-2023-2136 exists in the wild.”
CVE-2023-2136 is the second zero-day vulnerability in the Chrome browser addressed by Google. Google patched another zero-day vulnerability CVE-2023-2033 last week.
CISA has added the CVE-2023-2136 to its Known Exploitable Vulnerabilities Catalog and requested users to patch the vulnerability before May 12th, 2023.
The vulnerabilities addressed by Google in the security update are mentioned below:
- CVE-2023-2133: An out-of-bounds memory access vulnerability that affects service Worker API. Service worker API acts as proxy servers between web applications, the browser, and the network (when available).
- CVE-2023-2134: An out-of-bounds memory access vulnerability that affects Service Worker API.
- CVE-2023-2135: A use-after-free vulnerability that affects Chrome DevTools. Chrome DevTools is a set of web developer tools built directly into the Google Chrome browser. DevTools help edit pages on-the-fly and diagnose problems quickly, resulting in faster websites.
- CVE-2023-2137: A heap buffer overflow vulnerability that affects SQLite, a C-language library. SQLite is the most used database engine in the world that implements a small, fast, self-contained, highly-reliability, full-featured SQL database engine.
CVE-2023-2136: Integer Overflow Vulnerability in Skia
Skia is an open-source 2D graphics library. It provides common APIs that work across various hardware and software platforms.
According to NIST’s National Vulnerability Database (NVD), “The vulnerability allows a remote attacker who had compromised the renderer process to perform a sandbox escape with the help of a crafted HTML page.” An integer overflow vulnerability arises when there is an attempt to store inside an integer variable a value that is larger than the maximum limit of that variable.
Affected versions
Google Chrome versions before 112.0.5615.137 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version, 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac, and 112.0.5615.165 for Linux. For more information, please refer to the Google Chrome security page.
Microsoft has released the latest Microsoft Edge Stable Channel (Version 112.0.1722.58), which incorporates the latest Security Updates of the Chromium project.
Qualys Detection
Qualys customers can scan their devices with QIDs 378426, 378435, and 378442 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-2136
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#april-19-2023