Google ChromeOS ComponentInstaller Modification Vulnerability Allowing Device Unenrollment and Interception of Management Requests

A vulnerability exists in the ComponentInstaller of Google ChromeOS version 15823.23.0 on Chromebooks. This issue allows enrolled users with local access to unenroll devices and intercept device management requests by loading components from the unencrypted stateful partition. The vulnerability arises because ComponentInstaller now reads from an unencrypted stateful partition, a change made in a recent update. This modification can be exploited to alter important metadata components, potentially disrupting device management processes.

Impact

Exploitation of this vulnerability allows for unauthorized unenrollment of Chromebooks from device management, and interception of device management requests, including those related to key management.

Reproduction

To reproduce this vulnerability, access a Chromebook running the affected version of ChromeOS. Enrolled users can load a recovery image or an RMA shim that contains an output directory with a custom Certificate Authority (CA) into the unencrypted stateful partition. Once the output directory is in place, ComponentInstaller will read from it, allowing interception of device management requests. This process can be automated with a proof-of-concept tool that logs all device management requests.

Remediation

The vulnerability has been fixed in the latest version of ChromeOS. Users should ensure their devices are updated to the most recent version.