cbcvebase.
CVE-2021-38000
published 2021-11-23

CVE-2021-38000: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
4.49%
90.3th percentile
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.

Affected

13 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 97.0.4692.71-0.1~deb11u197.0.4692.71-0.1~deb11u1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
chromiumchromium>= 0 < 97.0.4692.71-0.197.0.4692.71-0.1
debianchromium< chromium 97.0.4692.71-0.1 (bookworm)chromium 97.0.4692.71-0.1 (bookworm)
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
googlechrome< 95.0.4638.6995.0.4638.69
googlechrome>= unspecified < 95.0.4638.6995.0.4638.69
googlechrome_chrome
linuxlinux_kernel>= 0 < 4.15.0-239.2514.15.0-239.251
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

versionGoogle Chrome < 95.0.4638.69 (Android)
  • CVE-2021-38000 was exploited as part of a chained exploit delivering PREDATOR/ALIEN spyware; detection should look for Chrome Intent-based redirects to unexpected URLs from crafted HTML pages on Android devices.
  • ALIEN spyware injects into the zygote64 process on Android; monitor for unexpected code injection or unusual child processes spawned from zygote64.
  • Presence of fs.db (encrypted SQLite3 file) on Android device may indicate PREDATOR spyware update/refresh activity.
  • PREDATOR spyware uses Python-based modules (loader.py, sqlimper.py, tcore, _km); presence of these files on an Android device is a strong indicator of compromise.
  • ALIEN uses dlsym() to call main_exec() from the downloaded PREDATOR component; monitor for unusual dlsym() calls in Android processes following network activity.
  • ·CVE-2021-38000 affects only Google Chrome on Android prior to version 95.0.4638.69; the CISA advisory notes it could also affect other Chromium-based browsers (Edge, Opera), but the primary confirmed vector is Android Chrome.
  • ·The PREDATOR/ALIEN samples analyzed by Talos were specifically designed for Android; iOS variants may exist but were not analyzed.
  • ·The tcore and kmem PREDATOR components were not obtained for analysis; their full capabilities and indicators remain unknown.
  • ·The URL used by ALIEN to download the PREDATOR component is stored in ALIEN's configuration and is operator-controlled; no static domain/IP IOC is available from the sources.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv7.8HIGH
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.