CVE-2018-1000136 in Electron Framework Puts Many Popular Apps at Risk

CVE-2018-1000136 is the identifier of a security vulnerability in the Electron framework used in popular apps such as Skype, Slack, Signal, and WhatsApp. The Electron framework is open-source and is created and maintained by GitHub. The flaw was discovered by Brendan Scarvell from Trustwave.

CVE-2018-1000136 Official Description

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution, according to MITRE’s description.

More specifically, this attack is exploitable via an app which allows execution of third party code disallowing node integration without having specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

The framework contains a flaw that allows hackers to execute arbitrary code on remote systems. The flaw affects Electron 1.7.13 and older, as well as Electron 1.8.4 and 2.0.0-beta.3. The problem stems the interaction between Electron and Node.js.

Тhe flaw allowed nodeIntegration to be re-enabled, leading to the potential for remote code execution, Scarvell explained. Electron applications are essentially web apps, meaning that they are susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input.

A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules. This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side. Atom had an XSS vulnerability not too long ago which did exactly (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: