CVE-2021-37964: 
vulnerability analysis and mitigation

CVE-2021-37964 is a security vulnerability discovered in Google Chrome on ChromeOS prior to version 94.0.4606.54. The vulnerability was identified on April 28, 2021, by Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong and was publicly disclosed in September 2021 (Chrome Release). The vulnerability affects the ChromeOS Networking component, specifically impacting systems running ChromeOS.

The vulnerability stems from an inappropriate implementation in ChromeOS Networking that could allow an attacker with a rogue wireless access point to potentially carry out a wifi impersonation attack via a crafted ONC file. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

If exploited, this vulnerability could allow an attacker to perform wifi impersonation attacks, potentially compromising the integrity of network connections on affected ChromeOS systems. The impact is considered low severity due to the required user interaction and local access limitations (NVD).

Google addressed this vulnerability in Chrome version 94.0.4606.54. Users are advised to update their ChromeOS systems to this version or later. The fix was subsequently incorporated into various Linux distributions, including Debian 11 (Bullseye) with version 97.0.4692.71-0.1~deb11u1 and Fedora with version 94.0.4606.61 (Debian Advisory, Fedora Update).