Google Chrome Zero-Day Vulnerability: How to defend against CVE-2024-7971

An unauthenticated Type Confusion vulnerability, CVE-2024-7971, was found in Google Chrome's V8 JavaScript engine. Learn how to mitigate your risk if affected.

On August 19th, 2024, the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) reported a zero-day flaw in Google Chrome within the V8 JavaScript and WebAssembly engine. This find brings the year-to-date total to 10 zero-day vulnerabilities in Google Chrome. The vulnerability, assigned with the ID CVE-2024-7971, is a type confusion flaw, which can lead to a remote code execution. CVE-2024-7971 is already being exploited in the wild, emphasizing how urgent it is to act and protect yourself against this vulnerability.

Google published an advisory containing the flaw two days after Microsoft’s report. Five days after its vendor publication, the vulnerability was added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. NIST’s National Vulnerability Database (NVD) included it in its catalog on the day of its publication.

The Vulnerability

This zero-day flaw is classified as high severity, receiving a CVSS v3 score of 8.8. Together with CVE-2024-4947 and CVE-2024-5274, it is a third actively exploited type confusion bug that has been found and patched in V8. Type confusion flaws provide the attackers with the ability to run malicious code on a victim’s machine, which may result in malware installation, illegal access, or data theft.

This flaw requires user interaction for a successful exploitation. A manipulated HTML page can be used by a remote attacker to exploit heap corruption, which eventually leads to remote code execution in the sandboxed Chromium renderer process. To mitigate any potential threats, users are advised to upgrade to version 128.0.6613.84 or higher.

Since Google Chrome updates itself automatically when new security patches are released, they did not publish any additional details on the attacks exploiting the vulnerability and are keeping the bug links restricted until most users are updated with a fix. The bug bounty for Microsoft Threat Intelligence Center (MSTIC) for reporting the flaw has yet to be determined.

Nonetheless, if users want to accelerate the protection process, they can manually push the update by going into the Chrome menu and relaunching their browser with the security patch installed. Additionally, by implementing extra security measures, including network segmentation and sandboxing, the risks associated with this and other vulnerabilities can be reduced.

The Attacks

Microsoft discovered a threat actor exploiting a vulnerability in Chromium two days before it was published by Google and assigned a CVE ID. Exploitation of CVE-2024-7971 can be described as an “exploit chain” where multiple components are involved to successfully compromise a target. If any of these components is not available, the entire attack chain fails.

The exploitation can be traced to Citrine Sleet, a North Korean hacking group. The exploitation was conducted to deploy the FudModule rootkit and compromise systems via a Windows Kernel exploit (disclosed in the CVE-2024-38106) that allowed them to gain system privileges. After successfully loading the FudModule rootkit into the memory, kernel tampering and direct kernel object manipulation (DKOM) were performed to bypass kernel security mechanisms. Citrine Sleet usually targets vulnerabilities that apply to the cryptocurrency, gaming companies, and exchanges sector for fraudulent financial gains. That was the case for CVE-2024-7971 as well. One of the companies targeted by this exploit has been previously attacked by Sapphire Sleet (or BlueNoroff, another North Korean threat actor.)

In addition to updating systems, zero-day exploits require security solutions that offer unified visibility throughout the cyberattack chain to identify and stop malicious behavior and post-compromise attacker tools after being exploited.

Vulnerability & Threat Management Solution

Discover vulnerabilities, prioritize based on quantified risk scores, and close with optimal remediation.

How can Skybox Help?

The Skybox Research Lab added the vulnerability to our threat intelligence feed the day after the vendor made it public. The same day, after it was discovered that it was exploited in the wild, the Skybox Research Lab adjusted its status in the feed.

Skybox customers who have Google Chrome integrated in their network can use the vulnerability discovery features of the Skybox Vulnerability and Threat Management solution to find the vulnerability. They will also be notified of the number of vulnerability occurrences within their organization and the degree of exposure of each asset to the relevant attack vector. If needed, Skybox also suggests compensating security measures, including network segmentation or configuration modifications, to reduce exposure risk on the customer’s network.

In order to help the organization’s security team decide how best to protect itself, a customized risk score and a prioritization of the most critical threats will be provided. These will be based on the significance of Google Chrome in the organizational network as well as other factors, such as the overall CVSS score for CVE-2024-7971.

Skybox will keep a close eye on any updates about this flaw and update the threat intelligence feed with any information that may be useful for clients making risk management decisions.

Learn how Skybox proactively protects you from vulnerabilities like the one affecting Google Chrome systems.