CVE-2017-15423 : Security Advisory and Response
Learn about CVE-2017-15423 affecting Google Chrome versions before 63.0.3239.84. Find out how a remote attacker could exploit the BoringSSL SPAKE2 flaw to extract SHA512(password) bits.
Google Chrome versions before 63.0.3239.84 had an improper implementation issue in BoringSSL SPAKE2, allowing a remote attacker to extract SHA512(password) bits from protocol traffic.
Understanding CVE-2017-15423
Google Chrome prior to version 63.0.3239.84 had a cryptographic flaw that could be exploited by a remote attacker.
What is CVE-2017-15423?
This CVE refers to an inappropriate implementation in BoringSSL SPAKE2 in Google Chrome, enabling a remote attacker to extract low-order bits of SHA512(password) by analyzing protocol traffic.
The Impact of CVE-2017-15423
The vulnerability could lead to the leakage of sensitive information, potentially compromising user passwords and security.
Technical Details of CVE-2017-15423
Google Chrome's vulnerability is detailed below:
Vulnerability Description
- Improper implementation in BoringSSL SPAKE2
- Allows remote attackers to extract low-order bits of SHA512(password)
Affected Systems and Versions
- Product: Google Chrome prior to 63.0.3239.84
- Versions: Google Chrome prior to 63.0.3239.84
Exploitation Mechanism
- Attackers can exploit the flaw by inspecting protocol traffic
Mitigation and Prevention
Immediate Steps to Take:
- Update Google Chrome to version 63.0.3239.84 or later
- Monitor network traffic for any suspicious activity
Long-Term Security Practices:
- Regularly update software and applications
- Implement strong password policies and multi-factor authentication
- Educate users on safe browsing habits
Patching and Updates
- Google released a fix in version 63.0.3239.84 to address this vulnerability.