Miggo Logo

CVE-2017-11911: ChakraCore RCE Vulnerability

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.98752%
Published
5/14/2022
Updated
7/26/2023
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Microsoft.ChakraCorenuget< 1.7.51.7.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focuses on commit a5d6be6 which patched CVE-2017-11911. The code changes in AsmJsModule.cpp introduced a bitvector (initializerBV) to track variable usage in initializers and added validation to prevent using variables before declaration. The vulnerability occurred because the original implementation didn't ensure variables were declared before being referenced in initializers, allowing attackers to reference undefined constants and trigger OOB reads from the constant table via GetConstRegister(). The explicit error message 'Cannot declare a var after using it in an initializer' in the patch confirms this was the vulnerable path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***kr**or* *n* Win*ows ** ****, ****, ****, ****, *n* Win*ows S*rv*r **** *llows *n *tt**k*r to *x**ut* *r*itr*ry *o** in t** *ont*xt o* t** *urr*nt us*r, *u* to *ow t** s*riptin* *n*in* **n*l*s o*j**ts in m*mory, *k* "S*riptin* *n*in* M*mory *orrupt

Reasoning

T** *n*lysis *o*us*s on *ommit ******* w*i** p*t**** *V*-****-*****. T** *o** ***n**s in `*smJsMo*ul*.*pp` intro*u*** * *itv**tor (initi*liz*r*V) to tr**k v*ri**l* us*** in initi*liz*rs *n* ***** v*li**tion to pr*v*nt usin* v*ri**l*s ***or* ***l*r*ti