New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 627300 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security
Team-Accessibility



Sign in to add a comment

Security: ChromeVox on ChromeOS uses HTTP without SSL for some requests:

Reported by resea...@nightwatchcybersecurity.com, Jul 12 2016

Issue description

VULNERABILITY DETAILS
ChromeVox on ChromeOS uses HTTP without SSL for some requests:

We saw the following URLs:
http://fonts.googleapis.com/css?family=Droid+Sans+Mono|Roboto:400,700,700italic

http://fonts.gstatic.com/s/roboto/v15/t6Nd4cfPRhZP44Q5QAjcC44P5ICox8Kq3LLUNMylGO4.woff2

VERSION
Chrome Version: 51.0.2704.106 (stable)
Operating System: ChromeOS 8172.62.0 (stable)

REPRODUCTION CASE:
1. Setup a proxy with WiFi.
2. Switch ChromeOS device to use proxy.
3. Restart the device and on the login screen enable ChromeVox.
4. Observe calls to HTTP without SSL.

 

Comment 1 by rickyz@chromium.org, Jul 13 2016

Labels: M-54 Arch-All Security_Severity-Low OS-Chrome
Owner: dtseng@chromium.org
Mind taking a look at this one, dtseng@?
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 13 2016

Labels: Pri-2
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 13 2016

Status: Assigned (was: Unconfirmed)

Comment 4 by ta...@google.com, Jul 13 2016

Components: UI>Accessibility
Labels: Security_Impact-Stable

Comment 5 by mea...@chromium.org, Jul 13 2016

Are these URLs being embedded on chrome-extension:// pages? If so, bug 398790 might be relevant.
Project Member

Comment 6 by sheriffbot@chromium.org, Dec 2 2016

Labels: -M-54 M-55
Project Member

Comment 7 by sheriffbot@chromium.org, Jan 26 2017

Labels: -M-55 M-56
Cc: ya...@nightwatchcybersecurity.com
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 10 2017

Labels: -M-56 M-57
Project Member

Comment 10 by sheriffbot@chromium.org, Apr 20 2017

Labels: -M-57 M-58
Project Member

Comment 11 by sheriffbot@chromium.org, Jun 6 2017

Labels: -M-58 M-59
Project Member

Comment 12 by sheriffbot@chromium.org, Jul 26 2017

Labels: -M-59 M-60
Project Member

Comment 13 by sheriffbot@chromium.org, Sep 6 2017

Labels: -M-60 M-61
Status: fixed (was: Assigned)
https://codereview.chromium.org/2776293002
Does this get a CVE and/or qualify for a bounty?
Cc: awhalley@chromium.org
+awhalley for comment 15.
Labels: -M-61 M-62 M-59
Looks like this wasn't marked as fixed when the release it was fixed in was released :-)  Marking with M-62 to get that picked up for release note and CVE allocation then (though shout if you need it sooner and I can do it manually)

We don't usually reward for low severity bugs, but we'll take a look in a future VRP panel.
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 19 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Labels: -reward-topanel reward-unpaid reward-500
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************
The VRP panel decided to award $500 for this report.  Also, how would you like to be credited on the release notes when 
Labels: -reward-unpaid reward-inprocess
Thank you! Please credit "Nightwatch Cybersecurity Research" in the notes.

Is there a CVE being assigned?
Labels: CVE-2017-15397
Pardon the delay, CVE assigned.
Thank you! At what point is it ok to disclose publicly? I checked the list of changes for Chrome 62 and don't see this one there.
This bug will be automatically opened 14 weeks after the fix date. This was indeed released with Chrome OS 62, which went stable yesterday.  Expect the release notes to be updated with this and a few other security bugs in about a week.

Please feel free to disclose this publically after 7th November, so folks have some time to update their systems to 62.

Thanks again for the report!
Labels: Release-0-M62
Project Member

Comment 28 by sheriffbot@chromium.org, Dec 26 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment