CVE-2022-2294

What is WebRTC?

WebRTC (Web Real-Time Communication) is an open-source project and W3C/IETF standard that enables real-time audio, video, and data communication directly between browsers and devices without plugins. It is built into Chrome, Firefox, Safari, Edge, and countless native applications. WebRTC processes untrusted network data — media streams, RTCP control packets, and peer connection signaling — making it an attractive exploitation target for browser attacks. A heap buffer overflow in WebRTC can lead to remote code execution in the browser process.

Overview

CVE-2022-2294 is a heap buffer overflow (CWE-787) in WebRTC's RTCP (Real-Time Control Protocol) packet parsing. An attacker can deliver a crafted web page that initiates a WebRTC session with malicious RTCP data, triggering the overflow and potentially achieving code execution in the browser. Google patched the flaw on July 4, 2022 as a zero-day. Avast Threat Intelligence published attribution two days later: the vulnerability had been exploited by Candiru, an Israeli commercial surveillance company, to deliver its DevilsTongue spyware implant against targets in Lebanon and other regions.

Affected Versions

Technical Details

The vulnerability is a heap buffer overflow (CWE-787) in WebRTC's processing of RTCP (Real-Time Transport Control Protocol) packets:

• Root cause: Insufficient bounds checking when parsing RTCP feedback messages; attacker-controlled packet data causes a write past the end of a heap buffer
• Trigger: A JavaScript web page initiates a WebRTC peer connection with the victim's browser; the attacker's RTCP responses contain the malicious payload
• Attack vector: Remote — victim visits a malicious web page or receives a link triggering WebRTC negotiation
• User interaction required: User must visit the malicious page; no further interaction needed once the page loads
• Sandbox context: The overflow occurs in the browser renderer/WebRTC process; achieving full OS code execution typically requires a sandbox escape as a second stage
• Impact: Arbitrary code execution in the Chrome renderer process; combined with a sandbox escape, full OS compromise

Discovery

Discovered by Jan Vojtesek from Avast Threat Intelligence during analysis of suspicious browser activity. Vojtesek reported the zero-day to Google, who patched it within days. Avast's follow-up attribution report identified Candiru as the threat actor.

Exploitation Context

Avast attributed exploitation to Candiru (also known as Saito Tech), an Israeli private surveillance company that sells the DevilsTongue spyware platform to government customers. Candiru was previously sanctioned and publicly exposed by Microsoft (2021) alongside NSO Group.

Avast's investigation found:

• Candiru delivered the exploit by compromising legitimate websites with malicious JavaScript that silently initiated WebRTC sessions with victims ("watering hole" attacks)
• Targets included users in Lebanon, Turkey, Yemen, and Palestine, consistent with government intelligence or law enforcement customers
• Upon successful exploitation, DevilsTongue was installed — a full-featured Windows implant capable of keylogging, screenshot capture, file exfiltration, and microphone/camera access

The ransomwareUse: true flag reflects CISA's classification; the primary observed use was targeted surveillance, not ransomware.

Remediation

1. Update Chrome to version 103.0.5060.114 or later — this was an emergency patch; do not delay
2. Update all Chromium-based browsers (Edge, Brave, Opera) to their equivalent patched versions
3. Enable Chrome automatic updates to receive future zero-day patches immediately
4. Enterprise administrators: enforce minimum browser version via Group Policy or MDM and deploy Chrome Enterprise update controls
5. Consider WebRTC blocking via browser policy for environments that do not use video/audio conferencing features: chrome://flags/#disable-webrtc or enterprise WebRtcAllowed policy