CVE-2021-37969 – This vulnerability allows a remote attacker to ... (How to Fix)

Q: What is the severity of CVE-2021-37969?

CVE-2021-37969 has a CVSS score of 7.8 (HIGH). This vulnerability allows a remote attacker to escalate privileges on Windows systems running vulnerable versions of Google Chrome. By tricking a user into opening a crafted file, an attacker could gain higher system permissions than intended. This affects Chrome users on Windows prior to version 94.0.4606.54.

📋 TL;DR

This vulnerability allows a remote attacker to escalate privileges on Windows systems running vulnerable versions of Google Chrome. By tricking a user into opening a crafted file, an attacker could gain higher system permissions than intended. This affects Chrome users on Windows prior to version 94.0.4606.54.

💻 Affected Systems

Products:

Google Chrome

Versions: Versions prior to 94.0.4606.54

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chrome's updater component on Windows systems. Linux and macOS versions are not affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, and complete control of the affected system.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass security controls, install unwanted software, or access restricted system resources.

🟢

If Mitigated

Limited impact with proper user account controls and restricted file execution policies in place.

🌐 Internet-Facing: MEDIUM - Requires user interaction with crafted file, but could be delivered via web downloads or email attachments.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared network drives containing malicious files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to open a crafted file. The vulnerability is in the updater implementation, suggesting specific file handling issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 94.0.4606.54

Vendor Advisory: https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_21.html

Restart Required: Yes

Instructions:

1. Open Chrome and click the three-dot menu. 2. Go to Help > About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the updated version.

🔧 Temporary Workarounds

Disable automatic Chrome updates

windows

Prevents the vulnerable updater from running, but leaves system unpatched for other vulnerabilities

Not recommended as it creates other security risks

🧯 If You Can't Patch

Restrict user permissions to prevent local privilege escalation
Implement application whitelisting to block execution of unknown files

🔍 How to Verify

Check if Vulnerable:

Check Chrome version by navigating to chrome://settings/help or clicking Help > About Google Chrome

Check Version:

chrome://version/ in Chrome address bar

Verify Fix Applied:

Confirm Chrome version is 94.0.4606.54 or later

📡 Detection & Monitoring

Log Indicators:

Unusual Chrome updater process activity
File creation/modification in Chrome update directories
Elevated privilege requests from Chrome processes

Network Indicators:

Downloads of suspicious files followed by Chrome updater activity

SIEM Query:

Process creation where parent_process contains 'chrome' and process_name contains 'updater' with elevated privileges

📊 Metadata

CVE ID: CVE-2021-37969

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: October 8, 2021

Last Updated: November 21, 2024

🔗 References

https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_21.html Release Notes,Vendor Advisory
https://crbug.com/1245879 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_21.html Release Notes,Vendor Advisory
https://crbug.com/1245879 Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4DDW7HAHTS3SDVXBQUY4SURELO5D4X7R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PM7MOYYHJSWLIFZ4TPJTD7MSA3HSSLV2/
https://www.debian.org/security/2022/dsa-5046 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37969, you might also want to check these: