December Vuln of the Month: CVE-2021-38003

The final Vuln of the Month blog for 2021 features another Chromium vulnerability (that means Google Chrome and Microsoft Edge for most, though certainly not all, users). It’s the third Chromium vuln we’ve featured so far in our series. It’s actively being exploited and should be addressed ASAP. 

CVE-2021-38003 involves an inappropriate implementation in Chromium’s V8 JavaScript engine that can be used to exploit a heap corruption via a crafted HTML page, which can then result in an attacker leaking sensitive information or remote code execution (RCE) of malicious code. Our research shows that CVE-2021-38003 meets many of the criteria we look for to be exploited, including:
 

• Access complexity: Low 
• Potential attack surface: Massive 
• Exploitable remotely: Yes 
• Authentication/privilege requirements: None 
• Potential impact on availability: Significant 
• Exploit code published: No 
• Active exploits observed: Yes

The Kenna Risk Score for CVE-2021-38003 is 86. Kenna’s sophisticated, data science-driven scoring system incorporates a comprehensive array of intel and analysis to provide the context needed to assess the relative risk a vulnerability poses to a specific enterprise. Using that analysis, of the more than 156,000 CVEs scored by Kenna, just 0.5% have earned a higher risk score than CVE-2021-38003. This underscores its potential severity. In contrast, CVSS 3.1 gives this CVE an 8.8 or “High” score, while organizations still relying on CVSS 2.0 will find this vulnerability earns only a “Medium” score of 6.8. Since it is clear from Kenna’s analysis that CVE-2021-38003 is a critical vuln, these lesser CVSS scores can mislead security teams into thinking they’re not as serious as they are. (Sill using CVSS? We recommend immediately looking into switching out simple vulnerability scores for true risk scores.) 

Why CVE-2021-38003 matters 

CVE-2021-38003 is a potential problem for anyone using Chromium-based browsers, which includes the two most popular browsers on the planet: Google Chrome and Microsoft Edge. Also potentially impacted are Amazon Silk and Samsung Internet, along with many other browsers and apps. If users of this software interact with the wrong HTML page, lost data and the implementation of malicious code could result.  

With its massive attack surface and active exploits underway, this vuln is worth the attention of any enterprise whose users rely on Chromium-based browsers or software. Exploits have been observed, so this is a proven threat. 

Bottom line 

 A vast attack surface, proven exploits, the potential for remote exploitation, and a requirement for users to participate in mitigation makes this vulnerability a priority. Time to jump on it! 

Mitigation status 

On Oct. 28, Google released a new version of Chrome for Windows, Mac and Linux that incorporated nine security fixes, including a fix for CVE-2021-38003. Users of Google Chrome and other Chromium-based browsers, including Microsoft Edge, should update their browser software immediately. And administrators should consider activating automatic updates for enterprise users to prevent falling behind the curve when updates are required for serious vulnerabilities. That can help reduce the time-consuming fire drills that inevitably result from the emergence of high-profile vulns and exploits. 

Don’t forget about this zero-day 

We recently alerted administrators and security team members to a zero-day published Dec. 10. CVE-2021-44228 was discovered in Apache Log4j—a common Java logging library—and appears to already be under active exploitation. 

In a nutshell, CVE-2021-44228 gives attackers an avenue for remote code execution, resulting in complete control of the affected server. Anyone using Apache Struts can be impacted, so the attack surface is unfortunately fairly large. We’ll take a closer look at this one in the future, but for now, just know it has earned a Kenna Risk Score of 93, so CVE-2021-44228 also should be at the top of your fix list. 

Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.