===================================================================== CERT-Renater Note d'Information No. 2023/VULN298 _____________________________________________________________________ DATE : 07/09/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running electron (npm) versions prior to 22.0.1, 23.0.0-alpha.2, 26.0.0-beta.13, 25.5.0, 24.7.1, 23.3.13, 22.3.19, 22.3.6, 23.2.3, 24.0.1, 25.0.0-alpha.2. ===================================================================== https://github.com/electron/electron/security/advisories/GHSA-gxh7-wv9q-fwfr https://github.com/electron/electron/security/advisories/GHSA-7x97-j373-85x5 https://github.com/electron/electron/security/advisories/GHSA-p7v2-p9m8-qqg7 _____________________________________________________________________ Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled High MarshallOfSound published GHSA-gxh7-wv9q-fwfr Package electron (npm) Affected versions >= 22.0.0-beta.1 < 22.0.1, >= 23.0.0-alpha.1 < 23.0.0-alpha.2 Patched versions 22.0.1, 23.0.0-alpha.2 Description Impact A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. sandbox: false and contextIsolation: false in the webPreferences object. This resulted in incorrectly allowing usage of methods like eval() and new Function, which can result in an expanded attack surface. Patches This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes: 22.?? 23.?? We recommend all apps upgrade to the latest stable version of Electron, especially if they use sandbox: false or contextIsolation: false. Workarounds If upgrading isn't possible, this issue can be addressed without upgrading by enabling at least one of sandbox: true or contextIsolation: true on all renderers. const mainWindow = new BrowserWindow({ webPreferences: { sandbox: true, } }); For more information If you have any questions or comments about this advisory, email us at security@electronjs.org. Credit Thanks to user @andreasdj for reporting this issue. Severity High 7.5/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2023-23623 Weaknesses No CWEs Credits @andreasdj andreasdj _____________________________________________________________________ Out-of-package code execution when launched with arbitrary cwd Moderate MarshallOfSound published GHSA-7x97-j373-85x5 Package electron (npm) Affected versions < 22.3.19 || >= 23.0.0-alpha.1 < 23.3.13 || >= 24.0.0-alpha.1 < 24.7.1 || >= 25.0.0-alpha.1 < 25.5.0 || >= 26.0.0-alpha.1 < 26.0.0-beta.13 Patched versions 26.0.0-beta.13, 25.5.0, 24.7.1, 23.3.13, 22.3.19 Description Impact Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help Specifically this issue can only be exploited if the following conditions are met: Your app is launched with an attacker-controlled working directory The attacker has the ability to write files to that working directory This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future. Workarounds There are no app side workarounds, you must update to a patched version of Electron. Fixed Versions 26.0.0-beta.13 25.5.0 24.7.1 23.3.13 22.3.19 For more information If you have any questions or comments about this advisory, email us at security@electronjs.org Severity Moderate 6.1/ 10 CVSS base metrics Attack vector Local Attack complexity Low Privileges required Low User interaction Required Scope Unchanged Confidentiality Low Integrity High Availability Low CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L CVE ID CVE-2023-39956 Weaknesses No CWEs Credits @MarshallOfSound MarshallOfSound _____________________________________________________________________ Context isolation bypass via nested unserializable return value Moderate MarshallOfSound published GHSA-p7v2-p9m8-qqg7 Package electron (npm) Affected versions < 22.3.6 || >= 23.0.0-alpha.1 < 23.2.3 || >= 24.0.0-alpha.1 < 24.0.1 || >= 25.0.0-alpha.1 < 25.0.0-alpha.2 Patched versions 22.3.6, 23.2.3, 24.0.1, 25.0.0-alpha.2 Description Impact Apps using contextIsolation and contextBridge are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Workarounds This issue is exploitable under either of two conditions: If an API exposed to the main world via contextBridge can return an object or array that contains a JS object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown Error: object could not be cloned. If an API exposed to the main world via contextBridge has a return value that throws a user-generated exception while being sent over the bridge, for instance a dynamic getter property on an object that throws an error when being computed. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported and that any objects returned from functions do not have dynamic getters that can throw exceptions. Auditing your exposed API is likely to be quite difficult so we strongly recommend you update to a patched version of Electron. Fixed Versions 25.0.0-alpha.2 24.0.1 23.2.3 22.3.6 For more information If you have any questions or comments about this advisory, email us at security@electronjs.org Severity Moderate 6.0/ 10 CVSS base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Changed Confidentiality Low Integrity Low Availability Low CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L CVE ID CVE-2023-29198 Weaknesses No CWEs Credits @MarshallOfSound MarshallOfSound Reporter @nornagon nornagon ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================