CVE-2016-5143

Vulnerability

The Developer Tools (DevTools) subsystem in Blink, used by Google Chrome before version 52.0.2743.116, mishandles the script-path hostname, remoteBase parameter, and remoteFrontendUrl parameter. This flaw, distinct from CVE-2016-5144, allows remote attackers to bypass intended access restrictions through a crafted URL [2]. The vulnerability resides in the DevTools front-end code, specifically in Runtime.js [2].

Exploitation

An attacker requires no authentication or special network position; the vulnerability can be exploited by enticing a victim to visit a maliciously crafted URL (e.g., via a web page or link). The attacker manipulates the remoteFrontendUrl and remoteBase parameters, which are not properly whitelisted, enabling the attacker to load arbitrary script paths and bypass security checks [2]. The fix involves whitelisting these parameters and ensuring the hostname is not normalized improperly [2].

Impact

Successful exploitation allows an attacker to bypass access restrictions, potentially leading to arbitrary code execution or sensitive information disclosure. The vulnerability is rated Critical with a CVSS v3 base score of 9.8, and is described as allowing “remote attackers to bypass intended access restrictions” [1][4]. This could enable the attacker to execute commands in the context of the browser process, compromising confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in Chrome version 52.0.2743.116 and later [1]. Red Hat Enterprise Linux 6 users received the fix via RHSA-2016:1580, upgrading Chromium to version 52.0.2743.116 [1]. Gentoo users should upgrade to Chromium version 54.0.2840.59 or later per GLSA 201610-09 [4]. No workaround is available other than applying the update. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.