Man-in-the-Middle Vulnerability in Google Chrome's Software Removal Tool
CVE-2016-1693

5.3MEDIUM

Key Information:

Vendor
Debian
Status
Debian Linux
Enterprise Linux Desktop
Enterprise Linux Server
Enterprise Linux Workstation
Vendor
CVE Published:
5 June 2016

Summary

In Google Chrome prior to version 51.0.2704.63, a vulnerability exists in the handling of the Software Removal Tool (CCT). The application fails to enforce HTTPS connections when obtaining the tool from dl.google.com, which allows attackers to exploit this oversight. By using a man-in-the-middle attack on an unencrypted HTTP session, remote attackers can successfully spoof the CCT executable. This can lead to unauthorized execution of malicious software under the guise of legitimate tool functionality, posing significant security risks to users.

References

http://www.securityfocus.com/bid/90876
vdb-entryx_refsource_BID
http://lists.opensuse.org/opensuse-security-announce/2016...
vendor-advisoryx_refsource_SUSE
http://www.securitytracker.com/id/1035981
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.