August Vuln of the Month: CVE-2021-30551

Our latest Vuln of the Month blog features a Google Chrome vulnerability that’s worth your attention, and not only because it has already attracted the attention of attackers.

August’s Vuln of the Month is CVE-2021-30551, a zero-day Type Confusion vulnerability in V8, the component in Google’s Chrome web browser responsible for processing JavaScript code. Our research shows that CVE-2021-30551 meets many of the criteria we look for to be widely exploited, including:

• Access complexity: Low
• Potential attack surface: Massive
• Exploitable remotely: Yes
• Authentication/privilege requirements: None
• Potential impact on availability: Total
• Exploit code published: Yes
• Active exploits observed: Yes

Why CVE-2021-30551 matters

Well, where do we begin? Let’s start with the gargantuan attack surface: CVE-2021-30551 is a vulnerability within Google Chrome, the world’s most popular browser, with 2.65 billion users.

Then consider the nature of the vulnerability itself: It’s a Type Confusion vuln, which can lead to Chrome’s V8 component being tricked into treating unauthorized input as a type it usually recognizes. And that leads to logical memory errors which can open the door for attackers.

Now consider exploiting this vuln requires no special privileges, and it allows a remote attacker to, if successful, cause heap corruption in V8 via a crafted HTML page which would allow them to execute arbitrary code and gain full control of the system. Now add the challenge of remediation: Google Chrome is client software, so it’s incumbent on those 2.65 billion users to download the update that patches this vulnerability. 

And if all this wasn’t enough to get your attention: CVE-2021-30551 has been exploited in the wild. 

Bottom line

A massive attack surface, easy access to the vuln within Google Chrome V8, the potential for an attacker to take full control over a system, exploits in the wild, and a remediation team numbering in the billions all add up to making CVE-2021-30551 a priority fix.

Mitigation status

On June 9, Google announced it would roll out stable version 91.0.4472.101 for Windows, Mac, and Linux over the following weeks. As an added plus, this new version addresses 13 other identified CVEs, 11 of which Google identifies as either critical or high priority fixes. We recommend taking steps to have all Google Chrome users in your environment force a browser update if theirs hasn’t already been updated to the new version.

 Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.