Go back

Threat Bulletin – CVE-2024-2883

Jay Kurup
Jay Kurup
03 Apr 2024
3 min read
Cybersecurity News
Chrome

CVE-2024-2883 is a critical vulnerability found in ANGLE, a component of Google Chrome and Microsoft Edge. The vulnerability is exploitable via crafted HTML pages, allowing remote attackers to exploit heap corruption. The potential impact is high, enabling drive-by attacks leading to system compromise, with reports of active exploitation in the wild confirmed by the Chromium group.

CVE-2024-2883: Details 

Description​  Use after free (UAF) in ANGLE in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.  
CVE listing  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2883  

https://nvd.nist.gov/vuln/detail/CVE-2024-2883  

https://vuldb.com/?id.258070  

Published  26-Mar-2024, updated 29-Mar-2024 
Severity  Critical 
CISA KEV listing  N/A 
Vulnerable software  Google Chrome versions prior to 123.0.6312.86 

Microsoft Edge versions prior 123.0.2420.65 

Potential impact  High. The vulnerability enables an attacker to create a specially crafted HTML page which can be used in drive-by attacks.  Loading the webpage can lead to compromising the system. 
Exploited in the wild  Yes, reported by the Chromium group as being actively exploited. 
Security advisories  https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html    

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-2883  

Analysis:

ANGLE (Almost Native Graphics Layer Engine) is a Chromium component that allows the execution of WebGL (Web Graphic Library) and OpenGL graphics, enabling rendering interactive 2D and 3D graphic within compatible browsers.

Use after free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program (source: Kaspersky).

This vulnerability potentially enables an attacker to create a specially crafted HTML page which can be used in drive-by attacks. Loading the webpage can lead to exploiting the vulnerability and compromising the system. Once exploited the vulnerability potentially allows attackers to access system resources with the user’s privileges.

CVE-2024-2883 is related to multiple Chrome vulnerabilities with similar mechanisms

  • CVE-2024-2885: Use After Free In Dawn (Severity: High)
  • CVE-2024-2886: Use after free in WebCodecs (Severity: High)
  • CVE-2024-2887: Type Confusion in WebAssembly (Severity: High)

 

Morphisec Protection Mechanisms

Virtual Patching of the application by Automated Moving Target Defense (AMTD)

Visibility of vulnerable versions of Chrome

How Morphisec prevents the attack

Morphisec’s Automated Moving Target Defense (AMTD) implementation offers virtual patching protection for the vulnerability. Morphisec protects the web browsers and by application of AMTD negates the vulnerability itself by constantly re-arranging the attack surface during application load time. This protection is significant as AMTD application offers signatureless protection and is resistant to changing techniques of the attackers.

Morphisec’s Adaptive Exposure Management also provides clear visibility of the systems running vulnerable versions of the application to better prioritize the patching strategy.

Morphisec’s ability to protect against unpatched vulnerabilities is especially crucial given the ongoing NIST NVD crisis and lack of enriched CVE data.

Mitigation Recommendations

  • Apply browser updates
  • Ensure Morphisec protects all devices with chrome browsers

About the author

Jay Kurup

Jay Kurup is Global Sales Engineering Director at Morphisec, where his rich history of experience in cybersecurity informs his perspective. Prior to Jay’s time at Morphisec he spent time with Trend Micro, Verizon, and Check Point among other technology companies. Jay’s writing is focused on helping break down current events and industry trends in cybersecurity to help cyber leaders stay ahead of threats

Stay up-to-date

Get the latest resources, news, and threat research delivered to your inbox.