cbcvebase.
CVE-2018-1000136
published 2018-03-23

CVE-2018-1000136: Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can…

PriorityP181high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
4.78%
90.8th percentile
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

Affected

6 ranges
VendorProductVersion rangeFixed in
electronelectron>= 1.7.0 < 1.7.131.7.13
electronelectron>= 1.8.0 < 1.8.41.8.4
electronelectron>= 2.0.0-beta.1 < 2.0.0-beta.52.0.0-beta.5
electronjselectron<= 1.8.3
electronjselectron
electronjselectron1.7.0 – 1.7.12

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker re-enables nodeIntegration via the WebView embedding function and the window.open command — look for WebView tags with nodeIntegration being set/overridden at runtime in Electron apps
  • Vulnerable Electron apps must NOT have webviewTag: false set in webPreferences — audit Electron app configs for absence of this explicit declaration
  • Exploitation requires the app to allow execution of arbitrary remote code AND disable Node.js integration — flag Electron apps matching this combined configuration
  • Apps that do not intercept new-window events and manually override event.newGuest without using the supplied options tag are vulnerable — monitor for unhandled new-window events in Electron processes
  • Apps that do not enable the nativeWindowOption option are part of the vulnerable configuration — check Electron webPreferences for absence of nativeWindowOption
  • ·Only a minority of Electron applications have the specific configuration required to be vulnerable — all six conditions must be simultaneously true for exploitation to be possible
  • ·Neither Electron nor the discovering researcher confirmed the vulnerability's presence in any specific named applications (e.g., Slack, Discord, Signal)

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.