Gerrit Access Control Vulnerability in ChromeOS Allowing Remote Code Execution

An access control vulnerability has been identified in the ChromiumOS project configuration on Google ChromeOS version 16063.87.0. This vulnerability allows an attacker with a registered Gerrit account to inject malicious code into ChromeOS projects, potentially leading to remote code execution and denial-of-service. The issue arises from insufficient access controls and misconfigurations in Gerrit's project configuration, which enable unauthorized code modifications in trusted pipelines.

Impact

Exploitation of this vulnerability could result in unauthorized code being injected into ChromiumOS projects, including core components of the operating system. Such actions could bypass normal review processes and introduce malicious code that could be executed within the ChromeOS environment.

Reproduction

To reproduce this vulnerability, a registered user can log into Gerrit's Chromium review portal and search for change tickets under the ChromiumOS project that are owned by a Google service account bot. By exploiting a race condition, it's possible to inject malicious code into these tickets before they are merged by the bot, effectively bypassing standard review processes and injecting code that could be executed in the ChromeOS environment.

Remediation

The vulnerability has been fixed by restricting the 'addPatchSet' permission to trusted contributors and addressing the unsafe copy logic that allowed malicious code to be injected into change tickets. Users should ensure that similar access control misconfigurations are not present in other repositories.