Signature Validation Bypass Affecting electron-updater package, versions <4.3.1


0.0
medium

Snyk CVSS

    Attack Complexity High
    Confidentiality High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-ELECTRONUPDATER-567704
  • published 21 May 2020
  • disclosed 28 Apr 2020
  • credit Rajiv Shah

Introduced: 28 Apr 2020

CVE NOT AVAILABLE CWE-347 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade electron-updater to version 4.3.1 or higher.

Overview

electron-updater is a module allowing applications to implement auto-update functionality.

Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes.

Using a filename containing a backtick (`), among other symbols and a matching hash, an attacker could bypass the entire signature verification by triggering a parse error in the script.

This can be leveraged to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities.

Exploitation of this vulnerability requires the attacker to also have control over the update server, or alternatively a man-in-the-middle.

A partial fix has been made available, blacklisting a small set of characters, but there are additional characters that can be used to exploit this vulnerability.