CVE-2018-16083
published 2019-01-09CVE-2018-16083: An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds…
PriorityP355high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
5.26%
91.5th percentile
An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome | < 69.0.3497.81 | 69.0.3497.81 | |
| chrome | >= unspecified < 69.0.3497.81 | 69.0.3497.81 | |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: sending a very short RTP packet over a WebRTC connection causes FEC (ULPFEC) processing to read beyond the allocated buffer in XorPayloads, observable as a heap-buffer-overflow READ in ASAN builds ↗
- →Crash occurs in the call chain: XorPayloads → ForwardErrorCorrection::RecoverPacket → AttemptRecovery → DecodeFec → UlpfecReceiverImpl::ProcessReceivedFec → RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader; monitor for abnormal termination or ASAN signals along this path ↗
- →The vulnerability is exploitable via a crafted HTML page that establishes a WebRTC peer connection and sends malformed RTP packets; delivery vector is a remote web page ↗
- →Affected component is Google Chrome prior to version 69.0.3497.81; flag any Chrome installations below this version as unpatched ↗
- ·The out-of-bounds read occurs 0 bytes past the end of a 1520-byte heap allocation; the read size is only 1 byte, limiting direct data-exfiltration impact but still constituting an exploitable memory disclosure primitive ↗
- ·Exploitation requires the victim to visit a crafted HTML page that initiates a WebRTC RTCPeerConnection; no additional user interaction beyond page load is needed ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cxp6-9rqh-9p3p: An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69
ghsa_unreviewed·2022-05-14
CVE-2018-16083 [HIGH] CWE-125 GHSA-cxp6-9rqh-9p3p: An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69
An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
OSV
CVE-2018-16083: An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69
osv·2019-01-09·CVSS 8.8
CVE-2018-16083 [HIGH] CVE-2018-16083: An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69
An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
Project0
Adventures in Video Conferencing Part 1: The Wild World of WebRTC - Project Zero
project_zero·2018-12-01
CVE-2018-16071 Adventures in Video Conferencing Part 1: The Wild World of WebRTC - Project Zero
Posted by Natalie Silvanovich, Project Zero
Over the past five years, video conferencing support in websites and applications has exploded. Facebook, WhatsApp, FaceTime and Signal are just a few of the many ways that users can make audio and video calls across networks. While a lot of research has been done into the cryptographic and privacy properties of video conferencing, there is limited information available about the attack surface of these platforms and their susceptibility to vulnerabilities. We reviewed the three most widely-used video conferencing implementations. In this series of blog posts, we describe what we found.
This part will discuss our analysis of WebRTC. Part 2 will cover our analysis of FaceTime. Part 3 will discuss how we fuzzed WhatsApp. Part 4 will describe so
Red Hat
chromium-browser: Out of bounds read in WebRTC
vendor_redhat·2018-09-04·CVSS 8.8
CVE-2018-16083 [HIGH] chromium-browser: Out of bounds read in WebRTC
chromium-browser: Out of bounds read in WebRTC
An out of bounds read in forward error correction code in WebRTC in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
No detection rules found.
http://www.securityfocus.com/bid/105215https://access.redhat.com/errata/RHSA-2018:2666https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/856823https://security.gentoo.org/glsa/201811-10https://www.exploit-db.com/exploits/45444/http://www.securityfocus.com/bid/105215https://access.redhat.com/errata/RHSA-2018:2666https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/856823https://security.gentoo.org/glsa/201811-10https://www.exploit-db.com/exploits/45444/
2019-01-09
Published