Kenna Security is now part of Cisco

|Learn more
Contact Us
Talk to an Expert
Request a demo

August Vuln of the Month: CVE-2021-30551

Aug 11, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

Our latest Vuln of the Month blog features a Google Chrome vulnerability that’s worth your attention, and not only because it has already attracted the attention of attackers.

August’s Vuln of the Month is CVE-2021-30551, a zero-day Type Confusion vulnerability in V8, the component in Google’s Chrome web browser responsible for processing JavaScript code. Our research shows that CVE-2021-30551 meets many of the criteria we look for to be widely exploited, including:

  • Access complexity: Low
  • Potential attack surface: Massive
  • Exploitable remotely: Yes
  • Authentication/privilege requirements: None
  • Potential impact on availability: Total
  • Exploit code published: Yes
  • Active exploits observed: Yes
The Kenna Risk Score for CVE-2021-30551 is 77. Just 1.55% of the more than 156,000 CVEs scored by Kenna have earned a higher risk score. (CVSS 3.1 gives this vuln a score of 8.8.)
The Kenna Risk Score for CVE-2021-30551 is 77. Just 1.55% of the more than 156,000 CVEs scored by Kenna have earned a higher risk score. (CVSS 3.1 gives this vuln a score of 8.8.)

Why CVE-2021-30551 matters

Well, where do we begin? Let’s start with the gargantuan attack surface: CVE-2021-30551 is a vulnerability within Google Chrome, the world’s most popular browser, with 2.65 billion users.

Then consider the nature of the vulnerability itself: It’s a Type Confusion vuln, which can lead to Chrome’s V8 component being tricked into treating unauthorized input as a type it usually recognizes. And that leads to logical memory errors which can open the door for attackers.

Now consider exploiting this vuln requires no special privileges, and it allows a remote attacker to, if successful, cause heap corruption in V8 via a crafted HTML page which would allow them to execute arbitrary code and gain full control of the system. Now add the challenge of remediation: Google Chrome is client software, so it’s incumbent on those 2.65 billion users to download the update that patches this vulnerability. 

And if all this wasn’t enough to get your attention: CVE-2021-30551 has been exploited in the wild

Bottom line

A massive attack surface, easy access to the vuln within Google Chrome V8, the potential for an attacker to take full control over a system, exploits in the wild, and a remediation team numbering in the billions all add up to making CVE-2021-30551 a priority fix.

Mitigation status

On June 9, Google announced it would roll out stable version 91.0.4472.101 for Windows, Mac, and Linux over the following weeks. As an added plus, this new version addresses 13 other identified CVEs, 11 of which Google identifies as either critical or high priority fixes. We recommend taking steps to have all Google Chrome users in your environment force a browser update if theirs hasn’t already been updated to the new version.

 Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning. 

Share with Your Network

Read the Latest Content

Trending Vulns

March Vuln of the Month: CVE-2021-24094

Kenna is closely tracking CVE-2021-24094, a Remote Code Execution vuln in the default TCP/IP stack on all supported Microsoft OS.
READ MORE
Trending Vulns

July Vuln of the Month: CVE-2021-34527

Our research shows CVE-2021-34527, a vuln dubbed PrintNightmare meets many of the criteria we look for to be widely exploited.
READ MORE
Trending Vulns

April Vuln of the Month: CVE-2021-21972

CVE-2021-21972 addresses a remote code execution vuln in a plugin of the vSphere HTML5 Client, and at this time has Kenna Risk Score of 92.
READ MORE
Sign up to get the latest updates
FacebookLinkedInTwitterYouTube

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.