cbcvebase.
CVE-2021-37973
published 2021-10-08

CVE-2021-37973: Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a…

PriorityP186critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
11.73%
95.5th percentile
Use after free in Portals in Google Chrome prior to 94.0.4606.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Affected

13 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 97.0.4692.71-0.1~deb11u197.0.4692.71-0.1~deb11u1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
debianchromium< chromium 97.0.4692.71-0.1 (bookworm)chromium 97.0.4692.71-0.1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 94.0.4606.6194.0.4606.61
googlechrome>= unspecified < 94.0.4606.6194.0.4606.61
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

domaintrack-adv[.]com
urlhttps://track-adv[.]com/market-analytics.php?pc=1
domainceo-adviser[.]com
urlhttps://ceo-adviser[.]com/fb-connect.php?online=1
urlhttps://track-adv[.]com/analytics.php?personalization_id=
filenamefs.db
filenameloader.py
filenamesqlimper.py
processzygote64
processsystem_server
processinstalld
  • Detect watering hole iframe injection: monitor for hidden iframes on government websites pointing to attacker-controlled domains track-adv[.]com or ceo-adviser[.]com with specific PHP paths (/market-analytics.php, /fb-connect.php, /analytics.php).
  • Detect use of indexedDB database named 'tracker' on the client side, used by the Chrome exploit chain to store status information.
  • Detect unique session identifier format (e.g., 2msa5mmjhqxpdsyb5vlcnd2t — 24-char lowercase alphanumeric) passed as 'tt=' parameter in all exploit stage requests to track-adv[.]com.
  • Detect reconnaissance payload sending back browser fingerprint data (screen sizes, CPU count, GPU info, navigator properties, client hints Brands) to C2 prior to exploit delivery.
  • The cookie stealer payload targets a hard-coded list of authentication endpoints; monitor for anomalous websocket connections to attacker-controlled IPs originating from these domains.
  • Detect C2 key exchange: reconnaissance payload makes a second request with 'gcr=1' as a URL parameter to retrieve the AES decryption key for the next-stage payload.
  • ·CVE-2021-37973 was part of a five-CVE exploit chain (also including CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048); detection of this CVE alone may not indicate full compromise without the accompanying privilege escalation chain.
  • ·The same exploit infrastructure (track-adv[.]com) and cookie stealer framework were reused across multiple campaigns (2021, November 2023, February 2024, July 2024), so these IOCs may have long operational lifespans and could be reactivated.
  • ·The Chrome exploit chain required sandbox escape (CVE-2024-4671) in addition to CVE-2021-37973-era Portals UAF; Site Isolation forces attackers to chain more vulnerabilities, so a single CVE patch is insufficient for full protection.
  • ·The PREDATOR/ALIEN QUAILEGGS privilege escalation component code was not obtained; the exact exploit mechanism for CVE-2021-1048 within QUAILEGGS is assessed but not confirmed.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.6CRITICAL
vulncheck9.6CRITICAL
cisa9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.