CVE-2018-1000136 is the identifier of a security vulnerability in the Electron framework used in popular apps such as Skype, Slack, Signal, and WhatsApp. The Electron framework is open-source and is created and maintained by GitHub. The flaw was discovered by Brendan Scarvell from Trustwave.
CVE-2018-1000136 Official Description
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution, according to MITRE’s description.
More specifically, this attack is exploitable via an app which allows execution of third party code disallowing node integration without having specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
The framework contains a flaw that allows hackers to execute arbitrary code on remote systems. The flaw affects Electron 1.7.13 and older, as well as Electron 1.8.4 and 2.0.0-beta.3. The problem stems the interaction between Electron and Node.js.
Тhe flaw allowed nodeIntegration to be re-enabled, leading to the potential for remote code execution, Scarvell explained. Electron applications are essentially web apps, meaning that they are susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input.
A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules. This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side. Atom had an XSS vulnerability not too long ago which did exactly that.
Access to Node.js can be removed by passing nodeIntegration: false into the particular application’s webPreferences.
Here is a full list of the desktop applications that use the Electron framework:
- GitHub Desktop
- Light Table
- Microsoft Teams
- Microsoft Visual Studio Code
- Microsoft SQL Operations Studio
As for all the applications built with Electron, another list is available.
The number of applications that are based on the Electron framework means that there is a huge number of potential victims of a CVE-2018-1000136-based attack. Thus, the patch addressing the flaw should be implemented as soon as possible.