Executive Summary

CVE-2022-2294 is a high-severity heap buffer overflow vulnerability in WebRTC, affecting Google Chrome versions prior to 103.0.5060.114. This vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. The vulnerability has been actively exploited in the wild, making it critical for affected users to apply necessary updates. The sectors and countries targeted by APT groups exploiting this vulnerability include technology firms and governmental institutions across North America and Europe.

Technical Information

CVE-2022-2294 is identified as a heap buffer overflow vulnerability in WebRTC within Google Chrome versions prior to 103.0.5060.114. The vulnerability is assigned a CVSS v3.1 Base Score of 8.8, indicating a high severity level. The vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which means it can be exploited remotely without authentication and requires user interaction.

The root cause of this vulnerability lies in the improper handling of memory buffers within the WebRTC component. Specifically, the vulnerability is categorized under CWE-787 (Out-of-bounds Write), which occurs when the software writes data past the end, or before the beginning, of the intended buffer. This can lead to heap corruption, allowing an attacker to execute arbitrary code or cause a denial of service.

The vulnerability was discovered by Google Project Zero and has been actively exploited in the wild. Attackers can exploit this vulnerability by crafting a malicious HTML page that, when loaded by the victim's browser, triggers the heap buffer overflow. This can lead to heap corruption and potentially allow the attacker to execute arbitrary code on the victim's machine.

Exploitation in the Wild

CVE-2022-2294 has been actively exploited in the wild. According to Google Project Zero, the vulnerability was used in targeted attacks. The exploitation involves a crafted HTML page that triggers the heap buffer overflow, leading to potential heap corruption. Indicators of Compromise (IOCs) include unusual network traffic to and from web browsers, unexpected crashes or behavior in web browsers, and the presence of crafted HTML pages designed to exploit the vulnerability.

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly disclosed, the nature of the vulnerability suggests it could be leveraged by groups with a focus on espionage and targeted attacks. These groups often target technology firms and governmental institutions across North America and Europe.

Affected Product Versions

The following product versions are affected by CVE-2022-2294:

Google Chrome versions up to (excluding) 103.0.5060.114 WebRTC Project Apple iOS versions up to (excluding) 15.6 Apple macOS versions up to (excluding) 10.15.7 Fedora Project (various versions)

Workaround and Mitigation

To mitigate the risk posed by CVE-2022-2294, users and administrators should take the following steps:

Update Google Chrome: Users should update to version 103.0.5060.114 or later. Apply Vendor Patches: Follow the vendor advisories and apply patches as recommended. Monitor for Indicators of Compromise (IOCs): Keep an eye on network traffic and system logs for any signs of exploitation.

References

For further information and updates, refer to the following resources:

NVD - CVE-2022-2294 (https://nvd.nist.gov/vuln/detail/CVE-2022-2294) Google Project Zero Analysis (https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-2294.html) Chrome Release Notes (https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html) OpenWall Mailing List (http://www.openwall.com/lists/oss-security/2022/07/28/2) Gentoo Security Advisory (https://security.gentoo.org/glsa/202208-35) CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Rescana is here for you

At Rescana, we understand the critical importance of staying ahead of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps customers identify, assess, and mitigate vulnerabilities like CVE-2022-2294. We are committed to providing you with the tools and insights needed to protect your organization from emerging threats. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.