CVE-2023-7024

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

• Enable the Application Vulnerability policy, which will detect when a vulnerable app version is on the device. Since there are known exploits, we suggest you set the severity to high and block user access to work data until they update the app. 
• Lookout will publish coverage for this vulnerability on January 4th, 2024 under the family name MultiApp-CVE-2023-7024, after which the alerts will be generated based on the admin's risk, response and escalation setup. Any device with vulnerable versions of Chrome (at or below 120.0.6099.143) or Edge (at or below 120.0.2210.90) will receive an alert if detected after that date. 
• Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device. 

Overview 

Google recently disclosed a critical vulnerability in Chromium, which is the open-source web browser project that they maintain, that adversely affects both Google Chrome and Microsoft Edge browsers across desktop and mobile devices. The vulnerability, which is classified as highly critical with a CVSS score of 8.8/10, could enable an attacker to execute code remotely on the device and infect with malware or steal sensitive data. 

The vulnerability itself exists in the WebRTC, which stands for Web Real-Time Communications. WebRTC is an open-source project that enables developers to build real-time voice, text, and video communication capabilities between web browsers and the devices they run on. A remote attacker could potentially exploit heap corruption, which is a memory function, to carry out an attack on devices with vulnerable versions of Chrome and Edge.  

Lookout Analysis

To understand the severity of this vulnerability, it’s important to know what heap memory corruption is. Across programming languages, a heap is a special block of memory that the operating system will set aside for a particular application to hold its memory in. When the heap is corrupted, intentionally or unintentionally, it can lead to application crashes, data loss, and security vulnerabilities. 

The most likely way for an attacker to exploit this vulnerability would be to send a maliciously crafted webpage, which makes sense since the vulnerability exists in the device’s web browser. Since this needs to be delivered to mobile device users, the attacker would send a message over SMS, email, a third-party messaging platform, or any mobile app that has a messaging feature. That message would contain a link to the malicious webpage, and with some simple social engineering the attacker could convince the victim to tap the link and kick off the exploit. 

Finally, it’s important to note that mobile device management (MDM) solutions would not detect this type of attack. While MDMs are useful for managing which apps are on a device and enforcing basic device security measures, they cannot detect phishing links or malicious code being loaded onto the device.