CVE-2023-6345

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

• Enable the Application Vulnerability policy, which will detect when a vulnerable app version is on the device. Since there are known exploits, we suggest you set the severity to high and block user access to work data until they update the app. 
• Lookout will publish the coverage on December 7th, 2023 after which the alerts will be generated based on the admin's risk, response and escalation setup. Any device with vulnerable versions of Chrome (at or below 119.0.6045.192) or Edge (Edge 119.0.2151.96) will receive an alert if detected after that date. 
• Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device. 

Overview 

Google recently disclosed a critical vulnerability that has known active exploits in the wild. CVE-2023-6345 is a vulnerability in Skia, which is the 2D graphics engine for Google Chrome, ChromeOS, Android, and Microsoft Edge. If successfully exploited, a remote attacker could potentially perform a “sandbox escape” via a malicious file, which would enable them to infect the vulnerable device with malicious code and steal sensitive data. 

Since this vulnerability is being actively exploited in the wild, it’s been assigned a CVSS score of 9.6 and CISA has made it a requirement for government organizations to patch it by December 21st, 2023. 

‍

Lookout Analysis

To fully understand the severity of this vulnerability, it’s important to know what a sandbox escape is. Sandboxing is a commonly-used technique that isolates programs running side-by-side. While it’s typically used to test or analyze the programs, it also allows multiple programs to run in their own ‘sandboxes’  without interfering with each other. 

Using a sandbox escape is when an attacker knows that their malicious code will likely end up in a particular sandbox, and they can use their knowledge of the system’s architecture to help that code escape the restricted environment. Once that code ‘escapes’, it can carry out its malicious intent on the vulnerable device - often without many other system-level restrictions keeping it at bay. 

Since the malicious code needs to be delivered to the device with a file, the attacker would need to get that file onto their target’s vulnerable device. As is frequently the case, this would most likely be done by sending a message over SMS, email, a third-party messaging platform, or any mobile app that has a messaging feature. That message would either contain a link to the file or send the file directly, but with some simple social engineering the attacker could convince the victim to download the file and unknowingly bring the malicious code onto their device. 

Finally, it’s important to note that mobile device management (MDM) solutions would not detect this type of attack. While MDMs are useful for managing which apps are on a device and enforcing basic device security measures, they cannot detect phishing links or malicious code being loaded onto the device.