Vulnerability Notification: Electron setAsDefaultProtocolClient Command Injection

[Overview]

Electron is an open source framework for developing desktop GUI applications that enables developers to build native programs across MAC, Windows, and Linux using web technologies such as JavaScript, HTML, and CSS. Electron recently fixed an Electron remote code execution vulnerability that affects custom protocol handlers.

[Vulnerability Details]

CVE-2018-1000006: The vulnerability is caused by applications compiled by Electron failing to properly validate user-supplied input information. The application cannot check whether other command line parameters have been specified via the URL. An attacker could exploit this vulnerability by enticing a user to open a maliciously crafted link. Exploiting the vulnerability could result in the execution of arbitrary commands in the user’s security environment.

Vulnerability Source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000006

[Severity]

Critical

[Affected Version]

  • Electron Version < 1.6.16
  • Electron Version < 1.7.11
  • Electron Version < 1.8.2-beta.4

[Suggestions]

Update Electron-supplied patches

Take mitigation measures provided by Electron

Do not click on suspicious web pages

Official statement: https://electronjs.org/blog/protocol-handler-fix

[Hillstone Networks Solution]

Hillstone Networks has added signatures to the IPS signature database version 2.1.237. By deploying any Hillstone Networks solution with the IPS function, the Electron setAsDefaultProtocolClient Command Injection vulnerability can be quickly detected and effectively intercepted, preventing the server from being attacked.

Threat Events Detected by Hillstone Solutions

Vulnerability Detail Description