December 25th, 2023 - by Alisa Esage
WebRTC is a universal open source codec library for processing audio and video streaming, which is embedded in a wide variety of software products, especially in web browsers. Google just disclosed a zero-day vulnerability in WebRTC, which is being exploited in the wild to achieve remote code execution. No further technical details were provided, so I looked at the patch through my perspective of vulnerability research experience (without any testing or reproduction yet) to derive additional insights related to the bug's impact, mitigation, and re-exploitation potential.
Full patch for CVE-2023-7024
1. The bug resides in Chromium-specific WebRTC bindings rather than in the core WebRTC code. It means that the security vulnerability will only affect the Chrome browser as well as those browsers based on Chromium open source project (such as Microsoft Edge), and will not affect other software which uses WebRTC library. 2. The patch fixes wrong logic when processing incoming WebRTC audio stream parameters from the server/web page. 3. The exploitable state is caused by a memory corruption in downstream code, which uses unchecked AudioParameters struct members. 4. The bug may possibly be reached through a HTML page which uses WebRTC/WebAudio JavaScript API. 5. These Chromium-based software products have been patched: Browsers: Microsoft Edge, Brave, Opera; Electron framework * 6. These Chromiuim-based software may be still vulnerable: Vivaldi browser, Samsung Internet, Avast browser, Yandex browser, Qihoo 360 browser, Meta Quest (Oculus) browser ** 7. These WebRTC embedders are not vulnerable: Safari, Firefox, Chromium OS, Firefox OS 8. The vulnerability is not ultra-hard to reproduce and exploit. If your software embeds Chromium open source project, upgrade to recent version or cherry-pick the patch as soon as possible. 9. In order to exploit this vulnerability by re-creating the full chain exploit, the attacker will still need another bug to disclose memory contents, and yet another bug to escape browser/application sandbox. Note that in certain configurations either or both additional requirements may be irrelevant. 10. Mitigation: software-specific. In Chrome browser WebRTC cannot be disabled in the settings, so consider updating the browser.
Chrome release notes Patchset Issue tracker (restricted)
Masterclasses: Browser Security Nightly Training course: Zero Day Vulnerability Research
* Some software doesn't report security patch details, so (in)vulnerability could be established by looking at 1) release history, 2) source code diffs rather than by CVE mentions ↩ ** No product updates were recently reported by the vendor, while the project's code dependency graph strongly indicates inheritance of the specific bug from Chromium ↩