Permissions Bypass in Extension Management in Google ChromeOS 16181.27.0 on managed Chrome devices allows a local attacker to disable extensions and access Developer Mode, including loading additional extensions via exploiting vulnerabilities using the ExtHang3r and ExtPrint3r tools.
The error classified as CWE-276 (incorrect default permissions) concerns the extension management mechanism in ChromeOS on managed devices. An attacker with local access to the device can exploit this vulnerability using ExtHang3r and ExtPrint3r tools. As a result, it is possible to disable extensions enforced by corporate policy and unlock Developer Mode, which opens the way for loading additional unauthorized extensions.
An attacker can disable security extensions enforced by the administrator, gain access to developer mode, and load their own potentially malicious extensions — which can lead to violations of confidentiality, integrity, and availability of data on the device.
Patches available from the vendor should be applied according to references. It is recommended to monitor updates in Google Issue Tracker (issues.chromium.org/issues/b/399652193) and promptly implement the patched version of ChromeOS once released by Google.
Google ChromeOS version 16181.27.0 on managed Chrome devices.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoogle Chrome Os
OSGoogle16181.27.0
Related vulnerabilities
Unspecified vulnerability in Adobe Flash Player 21.0.0.242 and earlier allows remote attackers to execute arbi...
Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Wind...
Inappropriate implementation in OS in Google Chrome on ChromeOS prior to 75.0.3770.80 allowed a remote attacke...
Out of bounds write in Chrome OS Audio Server in Google Chrome on Chrome OS prior to 102.0.5005.125 allowed a ...