CVE-2024-39698 (GCVE-0-2024-39698)
Vulnerability from cvelistv5
Published
2024-07-09 17:50
Modified
2024-08-02 04:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-154 - Improper Neutralization of Variable Name Delimiters
Summary
electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| electron-userland | electron-builder |
Version: < 6.3.0-alpha.6 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "electron",
"vendor": "electron",
"versions": [
{
"lessThan": "6.3.0-alpha.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39698",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-10T14:40:10.938790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-10T14:41:06.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq"
},
{
"name": "https://github.com/electron-userland/electron-builder/pull/8295",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/electron-userland/electron-builder/pull/8295"
},
{
"name": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f"
},
{
"name": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "electron-builder",
"vendor": "electron-userland",
"versions": [
{
"status": "affected",
"version": "\u003c 6.3.0-alpha.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-154",
"description": "CWE-154: Improper Neutralization of Variable Name Delimiters",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T17:50:28.169Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq"
},
{
"name": "https://github.com/electron-userland/electron-builder/pull/8295",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/electron-userland/electron-builder/pull/8295"
},
{
"name": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f"
},
{
"name": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41"
}
],
"source": {
"advisory": "GHSA-9jxc-qjr9-vjxq",
"discovery": "UNKNOWN"
},
"title": "Code Signing Bypass on Windows in electron-updater \u003c 6.3.0-alpha.6"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39698",
"datePublished": "2024-07-09T17:50:28.169Z",
"dateReserved": "2024-06-27T18:44:13.037Z",
"dateUpdated": "2024-08-02T04:26:15.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-39698\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-09T18:15:10.863\",\"lastModified\":\"2024-11-21T09:28:14.690\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.\"},{\"lang\":\"es\",\"value\":\"electron-updater permite actualizaciones autom\u00e1ticas para las aplicaciones de Electron. El archivo `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implementa la rutina de validaci\u00f3n de firmas para aplicaciones Electron en Windows. Debido al shell circundante, un primer paso por `cmd.exe` expande cualquier variable de entorno que se encuentre en la l\u00ednea de comandos anterior. Esto crea una situaci\u00f3n en la que se puede enga\u00f1ar a `verifySignature()` para que valide el certificado de un archivo diferente al que se acaba de descargar. Si el paso tiene \u00e9xito, la actualizaci\u00f3n maliciosa se ejecutar\u00e1 incluso si su firma no es v\u00e1lida. Este ataque supone un manifiesto de actualizaci\u00f3n comprometido (compromiso del servidor, ataque Man-in-the-Middle si se obtiene a trav\u00e9s de HTTP, Cross Site Scripting para apuntar la aplicaci\u00f3n a un servidor de actualizaci\u00f3n malicioso, etc.). El parche est\u00e1 disponible a partir de 6.3.0-alpha.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-154\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:electron:electron-builder:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.3.0\",\"matchCriteriaId\":\"F77447F6-4E3F-468E-BBBB-AB248C06CF1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:electron:electron-builder:6.3.0:alpha0:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"801B3F79-555D-4FCB-B854-227E8D3FDD9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:electron:electron-builder:6.3.0:alpha1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"3B939D2F-400E-478C-8F45-568D5B7C5756\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:electron:electron-builder:6.3.0:alpha2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"4ECAF72F-A2E1-4D12-9797-CA1461931579\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:electron:electron-builder:6.3.0:alpha3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E03022BB-203E-4750-BCD1-493971C95559\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:electron:electron-builder:6.3.0:alpha4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"587F242D-22D2-4BE6-BCF0-87C2865546E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:electron:electron-builder:6.3.0:alpha5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"116D170A-CD87-484A-864E-5CA0D198C947\"}]}]}],\"references\":[{\"url\":\"https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/electron-userland/electron-builder/pull/8295\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/electron-userland/electron-builder/pull/8295\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq\", \"name\": \"https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/electron-userland/electron-builder/pull/8295\", \"name\": \"https://github.com/electron-userland/electron-builder/pull/8295\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f\", \"name\": \"https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41\", \"name\": \"https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:26:15.985Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39698\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-10T14:40:10.938790Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:electron:electron:*:*:*:*:*:*:*:*\"], \"vendor\": \"electron\", \"product\": \"electron\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"6.3.0-alpha.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-10T14:41:00.588Z\"}}], \"cna\": {\"title\": \"Code Signing Bypass on Windows in electron-updater \u003c 6.3.0-alpha.6\", \"source\": {\"advisory\": \"GHSA-9jxc-qjr9-vjxq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"electron-userland\", \"product\": \"electron-builder\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.3.0-alpha.6\"}]}], \"references\": [{\"url\": \"https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq\", \"name\": \"https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/electron-userland/electron-builder/pull/8295\", \"name\": \"https://github.com/electron-userland/electron-builder/pull/8295\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f\", \"name\": \"https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41\", \"name\": \"https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-154\", \"description\": \"CWE-154: Improper Neutralization of Variable Name Delimiters\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-09T17:50:28.169Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-39698\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:26:15.985Z\", \"dateReserved\": \"2024-06-27T18:44:13.037Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-09T17:50:28.169Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…