CVE-2018-1000136 in Electron Framework Puts Many Popular Apps at Risk

CVE-2018-1000136 in Electron Framework Puts Many Popular Apps at Risk

CVE-2018-1000136 is the identifier of a security vulnerability in the Electron framework used in popular apps such as Skype, Slack, Signal, and WhatsApp. The Electron framework is open-source and is created and maintained by GitHub. The flaw was discovered by Brendan Scarvell from Trustwave.

CVE-2018-1000136 Official Description

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution, according to MITRE’s description.

Related Story: Severe DLL Hijacking Flaw in Skype Won’t Be Patched by Microsoft

More specifically, this attack is exploitable via an app which allows execution of third party code disallowing node integration without having specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

The framework contains a flaw that allows hackers to execute arbitrary code on remote systems. The flaw affects Electron 1.7.13 and older, as well as Electron 1.8.4 and 2.0.0-beta.3. The problem stems the interaction between Electron and Node.js.

Тhe flaw allowed nodeIntegration to be re-enabled, leading to the potential for remote code execution, Scarvell explained. Electron applications are essentially web apps, meaning that they are susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input.

A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules. This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side. Atom had an XSS vulnerability not too long ago which did exactly that.

Access to Node.js can be removed by passing nodeIntegration: false into the particular application’s webPreferences.

Here is a full list of the desktop applications that use the Electron framework:

  • Atom
  • CrashPlan
  • Discord
  • GitHub Desktop
  • Keybase
  • Light Table
  • Microsoft Teams
  • Microsoft Visual Studio Code
  • Microsoft SQL Operations Studio
  • Slack
  • Skype
  • Signal
  • Twitch.tv
  • WhatsApp
  • Wire
  • Yammer
Related Story: CVE-2018-0986: Critical Flaw in mpengine.dll Affects Windows Defender

As for all the applications built with Electron, another list is available.

The number of applications that are based on the Electron framework means that there is a huge number of potential victims of a CVE-2018-1000136-based attack. Thus, the patch addressing the flaw should be implemented as soon as possible.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...