April Vuln of the Month: CVE-2022-1096
Share with Your Network
For April’s Exploit Wednesday, we’ve got a unique Vuln of the Month for you. It is our first “Pre-NVD” vulnerability— meaning we know it exists (and in this case a patch is available) but has not been added to the official MITRE or NVD database. We often talk with our customers about pre-NVD vulnerabilities in the range of hours (as in, sometimes it takes hours for a CVE to be published in the NVD). So the fact that Google announced this CVE on March 25 and Microsoft published an advisory a day later, and it’s still not in the NVD, makes this one of the oddest CVEs we have come across. With 19 days and counting, we are still not sure what is going on.
But there’s one thing we are sure of: You should definitely address it.
CVE-2022-1096 (the CVE ID was reserved by Chrome on March 25) is a Chrome-type confusion vulnerability that can allow bad actors to remotely trick Chrome into running malicious code. It potentially impacts 2 billion users and Google has assigned it a “high” rating.
Wait…what? It’s an exploited vulnerability that could leave billions of users at risk, and despite the vulnerability being reported on March 23 and made public on March 25, there’s nothing in the NVD on it? We’re not sure why, but we can tell you the implications aren’t good. It means an official CVSS score hasn’t been assigned to CVE-2022-1096. This leaves many scanner prioritization engines (those that essentially repackage CVSS scores) ill-equipped to advise security teams about whether they should patch it.
But we’re happy to advise you: You should definitely address it.
Our research shows that CVE-2022-1096 meets many of the criteria we look for in a vulnerability that could be exploited, including:
- Access complexity: Low
- Potential attack surface: Massive
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: High
- Exploit code published: No
- Active exploits observed: Yes
The lack of an official CVSS score means we have to rely on another source of data, in this case, we use data from XForce to help us fill in the missing data so we can come up with an early Kenna Risk Score. The current Kenna Risk Score for CVE-2022-1096 is 97. Just 0.2% of all the vulnerabilities we’ve scored represent a risk this high. (Once it does receive a CVSS score from NVD, the Kenna Risk Score may well be different.)
Why CVE-2022-1096 matters
Threat actors are already exploiting this vulnerability, which affects not only Microsoft Edge but other Chromium-based browsers, including Amazon Silk, Brave, Opera, Samsung Internet, Vivaldi, and Yandex. These attackers can exploit this vulnerability to remotely trigger confusion over whether the data being sent is valid or not, and if successful they can run arbitrary or malicious code. The vulnerability rests in the V8 JavaScript and Web Assembly engine within Chrome, and while V8 attacks aren’t all that common, they can be plenty serious.
What you don’t know can absolutely hurt you
Research shows the most informed security organizations do a better job protecting themselves against threats. A recent report issued by Kenna Security, now part of Cisco, and the Cyentia Institute reveals that prioritizing vulnerabilities with exploit code is 11 times more effective than CVSS scores in minimizing exploitability. When you have more critical information to work from, and when you have the tools necessary to analyze that data and turn it into actionable insight, you become less exploitable—less vulnerable. And the very first step is to understand the risk a specific vulnerability poses to your infrastructure and your business.
Google’s policy is to hold off on providing information on bugs and vulnerabilities until most of its installed base has installed the patch. The aim, we believe, is to prevent zero-days from taking users by storm before they’ve had a chance to update their browsers and other Chromium-based software. But now more than ever, it’s painfully clear that protecting yourself is increasingly futile if you’re waiting around for CVSS scores to set your patch priorities. As of today, it’s been three weeks since an anonymous user alerted Google to this vulnerability, and 19 days since Chrome reported this vulnerability and reserved CVE-2022-1096 as its ID. So here we are, nearly three weeks after news of this exceptionally high-risk vuln became public, and millions of users who look to CVSS for guidance are still waiting.
Bottom line
CVE-2022-1096 can potentially impact a broad array of targets and devices, and successful attacks can lead to a remote code execution that in some cases could do some real damage. The attack surface is massive, and exploits have already been observed. Whether you rely on CVSS or not, you should fix this one ASAP.
Mitigation status
On March 25, Google issued an emergency update aimed at patching CVE-2022-1096 in its Chrome desktop software. According to reports, official patches for Windows, Mac, and Linux are forthcoming.
Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.
