CVE-2025-34091

{"id": "CVE-2025-34091", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-02T20:15:30.260", "references": [{"url": "https://vulncheck.com/advisories/google-chrome-appbound-cookie-encryption", "source": "disclosure@vulncheck.com"}, {"url": "https://www.cyberark.com/resources/threat-research-blog/c4-bomb-blowing-up-chromes-appbound-cookie-encryption", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "A padding oracle vulnerability exists in Google Chrome\u2019s AppBound cookie encryption mechanism due to observable decryption failure behavior in Windows Event Logs when handling malformed ciphertext in SYSTEM-DPAPI-encrypted blobs. A local attacker can repeatedly send malformed ciphertexts to the Chrome elevation service and distinguish between padding and MAC errors, enabling a padding oracle attack. This allows partial decryption of the SYSTEM-DPAPI layer and eventual recovery of the user-DPAPI encrypted cookie key, which is trivially decrypted by the attacker\u2019s own context. This issue undermines the core purpose of AppBound Encryption by enabling low-privileged cookie theft through cryptographic misuse and verbose error feedback.\n\nConfirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms.\n\nThis behavior arises from a combination of Chrome\u2019s AppBound implementation and the way Microsoft Windows DPAPI reports decryption failures via Event Logs. As such, the vulnerability relies on cryptographic behavior and error visibility in all supported versions of Windows."}, {"lang": "es", "value": "Existe una vulnerabilidad de or\u00e1culo de relleno en el mecanismo de cifrado de cookies AppBound de Google Chrome debido a un comportamiento de descifrado fallido observable en los registros de eventos de Windows al gestionar texto cifrado malformado en blobs cifrados con SYSTEM-DPAPI. Un atacante local puede enviar repetidamente textos cifrados malformados al servicio de elevaci\u00f3n de Chrome y distinguir entre errores de relleno y MAC, lo que permite un ataque de or\u00e1culo de relleno. Esto permite el descifrado parcial de la capa SYSTEM-DPAPI y la posterior recuperaci\u00f3n de la clave de cookie cifrada con DPAPI del usuario, que es descifrada f\u00e1cilmente por el propio contexto del atacante. Este problema socava el prop\u00f3sito principal de AppBound Encryption al permitir el robo de cookies con privilegios bajos mediante el uso indebido de la criptograf\u00eda y la retroalimentaci\u00f3n de errores detallada. Confirmado en Google Chrome con AppBound Encryption habilitado. Otros navegadores basados en Chromium podr\u00edan verse afectados si implementan mecanismos de cifrado basados en COM similares. Este comportamiento se debe a una combinaci\u00f3n de la implementaci\u00f3n de AppBound en Chrome y la forma en que Microsoft Windows DPAPI informa de los errores de descifrado a trav\u00e9s de los registros de eventos. Como tal, la vulnerabilidad se basa en el comportamiento criptogr\u00e1fico y la visibilidad de errores en todas las versiones compatibles de Windows."}], "lastModified": "2025-07-03T15:13:53.147", "sourceIdentifier": "disclosure@vulncheck.com"}