CVE-2017-15397

Vulnerability

The vulnerability exists in the ChromeVox component of Chrome OS prior to version 62.0.3202.74. During the startup process, before a user logs in, ChromeVox makes network calls over cleartext HTTP instead of HTTPS. This occurs when ChromeVox is enabled on the login screen. The affected version range includes Chrome OS builds up to the fix in M62 [1].

Exploitation

An attacker in a privileged network position (e.g., on the same Wi-Fi network) can perform a man-in-the-middle attack. The attacker sets up a proxy and redirects traffic. When a victim restarts the device and enables ChromeVox on the login screen, the vulnerable HTTP requests are sent. By intercepting these requests, the attacker could inject malicious content or send a very large packet to crash the device [1].

Impact

Successful exploitation could allow the attacker to observe or tamper with cleartext HTTP requests. The impact includes potential injection of arbitrary content into Chrome OS or causing a denial of service by crashing the device. The attacker gains no authenticated access but can manipulate network-level communication [1].

Mitigation

The vendor fixed this issue in Chrome OS version 62.0.3202.74 (M62). Users should update to this or a later version. No other workarounds are documented. The bug was reported via the Chromium bug tracker and qualified for a bounty [1].