What are CVE-2021-37975 and CVE-2021-37976?
Both are Chromium vulnerabilities described as:CVE-2021-37975 allows a remote attacker to execute arbitrary code on the system, caused by a use-after-free in V8.
CVE-2021-37976 could allow a remote attacker to obtain sensitive information, caused by an information leak in core.
The exploitation is known to be easy, and requires the attacker to persuade the victim to visit a specially crafted website as part of the attack. Both vulnerabilities are being actively exploited in the wild, and are affecting all Chromium-based web browsers. This means these vulnerabilities do not affect Google Chrome only, but can be found in Brave, Microsoft Edge, etc. Until now, they have been reported to affect more than two billion users.
CVE-2021-37975 was reported by an anonymous researcher, and CVE-2021-37976 was reported by Clément Lecigne from the Google Threat Analysis Group.
The Remediation
The Chromium team has already released a new Chromium version 94.0.4606.71 which handles these vulnerabilities, and the remedy is to simply upgrade your browser.
In order to do so, teams need to account for all of their assets running the vulnerable Chromium versions (any version earlier than 94.0.4606.71).
However, many organizations have great difficulty accounting for all of their IT assets, let alone all of the applications running on them.
Identifying and Tracking the Exploitable Chrome Versions With Axonius
Axonius takes a comprehensive approach to identify all devices, user accounts, and installed software in your environment simply by connecting to all the IT and security tools you already use.
By connecting data sources such as EDR/EPP agents, configuration and patch management tools, network infrastructure, vulnerability scanners, and more, it’s easy to quickly identify CVEs that exist in your environment.
Once any of the above tools are connected, Axonius enables an aggregated search on installed software by vulnerability ID (CVE ID), installed software name, installed software version, and many more relevant fields. This means that a simple query can return a device seen with the specific CVE regardless of which data source has seen it.
So, the first step is to identify all the devices running the exploitable versions of Chromium.
In the above query, we’re searching for all devices running Google Chrome or Microsoft Edge versions earlier than the released fix version.
This enables us to detect all the devices, save the query and then create a dashboard chart to enable better visualization of the vulnerable devices.
Another approach is to search for all the devices with the specific CVE ID:
In the query above we are searching for all devices on which Axonius detected the vulnerable software.
This enables us to detect all the devices, save the query and then create a dashboard chart to enable better visualization of the vulnerable devices.
Now that we have detected the relevant devices we can track the remediation process. In order to achieve this we need to create one more query:
In the query above we are searching for all devices on which Axonius detected that the patched version has been installed (either Google Chrome or Microsoft Edge).
The next step is to create a chart which presents the following data:
Devices with the specific vulnerability vs. the number of devices running the relevant fix version.