Missing Permission checks resulting in unauthorized access and Manipulation in KeyChainActivity Application
The vulnerability results from missing required permission checks (CWE-862 – Missing Authorization) in the KeyChainActivity application. A remote, unauthenticated attacker can send a specially crafted request to the vulnerable application, bypassing access control mechanisms. As a result, unauthorized reading, modification, or destruction of data handled by KeyChainActivity is possible.
An attacker can gain unauthorized access to sensitive data managed by the KeyChainActivity application and modify it, threatening the confidentiality, integrity, and availability of the system. The network vector without authentication requirement means the attack can be carried out remotely and without user interaction.
Security patches available from the manufacturer should be applied in accordance with references — Google security bulletin for Chromecast dated 2023-12-01 (https://source.android.com/docs/security/bulletin/chromecast/2023-12-01). It is recommended to update the firmware of Chromecast devices as soon as possible.
Google Chromecast devices with firmware — versions indicated in manufacturer references (Chromecast security bulletin from December 2023).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoogle Chromecast
HWGooglewszystkie wersjeGoogle Chromecast Firmware
OSGoogle< 2023-10-01
Related vulnerabilities
Krytyczna podatność u-boot w Google Chromecast — dostęp do powłoki przez UART
Privilege escalation poprzez podatność w U-Boot shell na Google Chromecast
Podatność U-Boot w Google Chromecast umożliwiająca trwałe wykonanie kodu
RCE w Google Chromecast — trwałe wykonanie kodu przez błąd BCB
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...