New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security
Team-Accessibility



Sign in to add a comment
link

Issue 627300: Security: ChromeVox on ChromeOS uses HTTP without SSL for some requests:

Reported by resea...@nightwatchcybersecurity.com, Jul 12 2016

Issue description

VULNERABILITY DETAILS
ChromeVox on ChromeOS uses HTTP without SSL for some requests:

We saw the following URLs:
http://fonts.googleapis.com/css?family=Droid+Sans+Mono|Roboto:400,700,700italic

http://fonts.gstatic.com/s/roboto/v15/t6Nd4cfPRhZP44Q5QAjcC44P5ICox8Kq3LLUNMylGO4.woff2

VERSION
Chrome Version: 51.0.2704.106 (stable)
Operating System: ChromeOS 8172.62.0 (stable)

REPRODUCTION CASE:
1. Setup a proxy with WiFi.
2. Switch ChromeOS device to use proxy.
3. Restart the device and on the login screen enable ChromeVox.
4. Observe calls to HTTP without SSL.
 

Comment 1 by rickyz@chromium.org, Jul 13 2016

Labels: M-54 Arch-All Security_Severity-Low OS-Chrome
Owner: dtseng@chromium.org
Mind taking a look at this one, dtseng@?

Comment 2 by sheriffbot@chromium.org, Jul 13 2016

Project Member
Labels: Pri-2

Comment 3 by sheriffbot@chromium.org, Jul 13 2016

Project Member
Status: Assigned (was: Unconfirmed)

Comment 4 by ta...@google.com, Jul 13 2016

Components: UI>Accessibility
Labels: Security_Impact-Stable

Comment 5 by mea...@chromium.org, Jul 13 2016

Are these URLs being embedded on chrome-extension:// pages? If so, bug 398790 might be relevant.

Comment 6 by sheriffbot@chromium.org, Dec 2 2016

Project Member
Labels: -M-54 M-55

Comment 7 by sheriffbot@chromium.org, Jan 26 2017

Project Member
Labels: -M-55 M-56

Comment 8 by infe...@chromium.org, Mar 9 2017

Cc: ya...@nightwatchcybersecurity.com

Comment 9 by sheriffbot@chromium.org, Mar 10 2017

Project Member
Labels: -M-56 M-57

Comment 10 by sheriffbot@chromium.org, Apr 20 2017

Project Member
Labels: -M-57 M-58

Comment 11 by sheriffbot@chromium.org, Jun 6 2017

Project Member
Labels: -M-58 M-59

Comment 12 by sheriffbot@chromium.org, Jul 26 2017

Project Member
Labels: -M-59 M-60

Comment 13 by sheriffbot@chromium.org, Sep 6 2017

Project Member
Labels: -M-60 M-61

Comment 14 by dtseng@chromium.org, Sep 18 2017

Status: fixed (was: Assigned)
https://codereview.chromium.org/2776293002

Comment 15 by ya...@nightwatchcybersecurity.com, Sep 18 2017

Does this get a CVE and/or qualify for a bounty?

Comment 16 by mea...@chromium.org, Sep 18 2017

Cc: awhalley@chromium.org
+awhalley for comment 15.

Comment 17 by awhalley@chromium.org, Sep 18 2017

Labels: -M-61 M-62 M-59
Looks like this wasn't marked as fixed when the release it was fixed in was released :-)  Marking with M-62 to get that picked up for release note and CVE allocation then (though shout if you need it sooner and I can do it manually)

We don't usually reward for low severity bugs, but we'll take a look in a future VRP panel.

Comment 18 by sheriffbot@chromium.org, Sep 19 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 19 by awhalley@google.com, Oct 16 2017

Labels: reward-topanel

Comment 20 by awhalley@chromium.org, Oct 19 2017

Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 21 by awhalley@google.com, Oct 20 2017

The VRP panel decided to award $500 for this report.  Also, how would you like to be credited on the release notes when

Comment 22 by awhalley@chromium.org, Oct 20 2017

Labels: -reward-unpaid reward-inprocess

Comment 23 by ya...@nightwatchcybersecurity.com, Oct 20 2017

Thank you! Please credit "Nightwatch Cybersecurity Research" in the notes.

Is there a CVE being assigned?

Comment 24 by awhalley@google.com, Oct 26 2017

Labels: CVE-2017-15397
Pardon the delay, CVE assigned.

Comment 25 by ya...@nightwatchcybersecurity.com, Oct 26 2017

Thank you! At what point is it ok to disclose publicly? I checked the list of changes for Chrome 62 and don't see this one there.

Comment 26 by awhalley@chromium.org, Oct 28 2017

This bug will be automatically opened 14 weeks after the fix date. This was indeed released with Chrome OS 62, which went stable yesterday.  Expect the release notes to be updated with this and a few other security bugs in about a week.

Please feel free to disclose this publically after 7th November, so folks have some time to update their systems to 62.

Thanks again for the report!

Comment 27 by awhalley@chromium.org, Nov 6 2017

Labels: Release-0-M62

Comment 28 by sheriffbot@chromium.org, Dec 26 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment