Zero Day Engineering Insights

Google Chrome Skia Vulnerability Analysis (CVE-2023-6345)

November 30th, 2023 - by Alisa Esage

Overview

Google recently disclosed a new zero day vulnerability in Chrome browser that was exploited to attack users "in the wild". The bug is said to affect Skia component and tracked as CVE-2023-6345, with a CVSS score of 9.6 (Critical). No technical details of the vulnerability or exploit are available at the moment of this publication. We analyzed the security patches to derive additional information about the vulnerability, and clarify practical threat impact.

Analysis

Patch for CVE-2023-6345

1. The bug is an integer overflow in Skia, an open source library for rendering 2D graphics which which is used in Chromium backend. 2. The bug can be used to escape browser sandbox in Chrome app on Android. 3. At least one more bug - in one of the renderer subsystems, such as v8 - is required to complete the attack with a full chain exploit. Google did not disclose the other bug at this time. 4. The bug cannot be used to achieve a full sandbox escape on common desktop deployments of Google Chrome. 5. Based on the above, we hypothesize that the original 0-day attack vector and the exploit chain was targeting Android devices specifically. 6. The bug seems to be available and reachable in broad-scope Chromium (including common desktop deployments of Chrome browser), but an additional 3rd vulnerability would be required to execute arbitrary code with the same level of privilege as in the original 0-day attack in most popular deployment configurations. Therefore, overal impact of the bug is somewhat scoped. 7. The bug will strongly affect Chrome embedders which use unsandboxed GPU process. We did not look further into this, but Chrome-based systems such as electron framework and derivatives should be patched quickly. 8. The bug is not explicitly related to the previously reported 0-day vulnerability in Skia (CVE-2023-2136). I.e. it's not a patch bypass of the latter, and not located in the same subsystem of code. 9. Both bugs (6345 and 2136) are focused on bypassing in-code checks, which implicitly suggests the same specialized bughunting workflow, and therefore, possibly the same attacker. 10. The bug is not trivial to reproduce. Strong familiarity with GPU-level graphics internals is required.

References

Chrome release notes Patchset Issue tracker (restricted)

Relevant products

Masterclasses: Browser Security Nightly Training course: Zero Day Vulnerability Research

Metadata

Discussions: Twitter

Categories: 0-Day Insights

Tags: Chrome, Skia, GPU, Sandbox Escape, 0day