CVE-2024-1672: Critical Content Security Policy Bypass in Google Chrome (Up to 122..6261.57) - Details, Exploits, and Fixes

CVE-2024-1672 refers to an important security vulnerability found in Google Chrome before version 122..6261.57. This vulnerability results from an inappropriate implementation of the Content Security Policy (CSP). A successful exploitation of this flaw would allow a remote attacker to bypass content security policy through a carefully crafted HTML page. The Chromium project has assigned a 'Medium' severity to this security issue.

In this post, we'll dive into the details of this vulnerability, discuss some working exploit examples, review the original references, and outline the steps necessary to fix the issue.

Content Security Policy Background

CSP is a security feature implemented in web browsers, which helps protect web applications from certain types of attacks, such as Cross-Site Scripting (XSS) and data injection attacks. It works by allowing web developers to define a set of rules that dictate from which sources content can be safely loaded.

The Issue (CVE-2024-1672)

The exploitation of this vulnerability relies on bypassing the CSP to execute unauthorized code or load unauthorized content, potentially leading to data breaches or other security compromises for the victims.

The issue stems from a flawed implementation within Google Chrome's handling of the CSP, which does not correctly enforce the defined policy under specific conditions. This opens up opportunities for attackers to serve a malicious HTML page containing specially crafted content that tricks the browser into allowing unauthorized actions.

Exploit Examples

Here's a highly simplified example of a crafted HTML page that demonstrates an attacker abusing the CSP bypass vulnerability:

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8" />
        <title>CVE-2024-1672 Exploit Example</title>
        <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'" />
    </head>
    <body>
        <p>Example of an HTML page that exploits the CVE-2024-1672 vulnerability.</p>
        <script>
            // Malicious JavaScript code goes here
            alert("CSP bypassed!");
        </script>
    </body>
</html>

In this example, the CSP is defined to allow scripts to run from the current page only and not from external sources. However, due to the vulnerability, the malicious JavaScript code enclosed within the