CVE-2018-1000136
published 2018-03-23CVE-2018-1000136: Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can…
PriorityP181high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWVulnCheck KEVRansomware
Exploited in the wild
EPSS
4.78%
90.8th percentile
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| electron | electron | >= 1.7.0 < 1.7.13 | 1.7.13 |
| electron | electron | >= 1.8.0 < 1.8.4 | 1.8.4 |
| electron | electron | >= 2.0.0-beta.1 < 2.0.0-beta.5 | 2.0.0-beta.5 |
| electronjs | electron | <= 1.8.3 | — |
| electronjs | electron | — | — |
| electronjs | electron | 1.7.0 – 1.7.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker re-enables nodeIntegration via the WebView embedding function and the window.open command — look for WebView tags with nodeIntegration being set/overridden at runtime in Electron apps ↗
- →Vulnerable Electron apps must NOT have webviewTag: false set in webPreferences — audit Electron app configs for absence of this explicit declaration ↗
- →Exploitation requires the app to allow execution of arbitrary remote code AND disable Node.js integration — flag Electron apps matching this combined configuration ↗
- →Apps that do not intercept new-window events and manually override event.newGuest without using the supplied options tag are vulnerable — monitor for unhandled new-window events in Electron processes ↗
- →Apps that do not enable the nativeWindowOption option are part of the vulnerable configuration — check Electron webPreferences for absence of nativeWindowOption ↗
- ·Only a minority of Electron applications have the specific configuration required to be vulnerable — all six conditions must be simultaneously true for exploitation to be possible ↗
- ·Neither Electron nor the discovering researcher confirmed the vulnerability's presence in any specific named applications (e.g., Slack, Discord, Signal) ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
ghsa·2018-03-26
CVE-2018-1000136 [HIGH] CWE-20 Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.
For the application to be impacted by this vulnerability it must meet all of these conditions
- Runs on Electron 1.7, 1.8, or a 2.0.0-beta
- Allows execution of arbitrary remote code
- Disables Node.js integration
- Does not explicitly declare webviewTag: false in its webPreferences
- Does not enable the nativeWindowOption option
- Does not intercept new-window events and manually override event.newGuest without using the supplied options tag
## Recommendation
Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.
If you are unable to update your Electron version ca
OSV
Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
osv·2018-03-26
CVE-2018-1000136 [HIGH] Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration
A vulnerability has been discovered which allows Node.js integration to be re-enabled in some Electron applications that disable it.
For the application to be impacted by this vulnerability it must meet all of these conditions
- Runs on Electron 1.7, 1.8, or a 2.0.0-beta
- Allows execution of arbitrary remote code
- Disables Node.js integration
- Does not explicitly declare webviewTag: false in its webPreferences
- Does not enable the nativeWindowOption option
- Does not intercept new-window events and manually override event.newGuest without using the supplied options tag
## Recommendation
Update to `electron` version 1.7.13, 1.8.4, or 2.0.0-beta.5 or later.
If you are unable to update your Electron version ca
VulnCheck
electronjs electron Improper Input Validation
vulncheck·2018·CVSS 8.1
CVE-2018-1000136 [HIGH] electronjs electron Improper Input Validation
electronjs electron Improper Input Validation
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Affected: electronjs electron
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.csk.gov.in/alerts/STOP_ransomware.html; https://w
Red Hat
electron: Improper handling of values in Webviews
vendor_redhat·2018-03-23·CVSS 8.1
CVE-2018-1000136 [HIGH] CWE-228 electron: Improper handling of values in Webviews
electron: Improper handling of values in Webviews
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Package: Electron (JBoss Developer Studio 11) - Not affected
No detection rules found.
No public exploits indexed.
Tenable
June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
blogs_tenable·2018-06-15
June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
blogs_tenable·2018-06-15·CVSS 8.8
[HIGH] June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
Blog / Research
Subscribe
# June Vulnerability of the Month: Electron Vulnerability Out-Hyped by Efail?
Tenable Research
June 15, 2018
3 Min Read
Every month, we ask our researchers to nominate a vulnerability of the month. Novelty, sophistication or just plain weirdness are some of the potential criteria for selecting a vulnerability to highlight. After the nominations are collected, the candidates are shortlisted and voted on by our 70-plus-member research organization, combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.
### Background
Electron is an open-source framework for developing desktop applications. According to Electron’s website, it’s currently used in 581 apps. On May 14, a vulnerability (CVE-2018-1000136) was pu
Bugzilla
CVE-2018-1000136 electron: Improper handling of values in Webviews
bugzilla·2018-03-23·CVSS 8.1
CVE-2018-1000136 [HIGH] CVE-2018-1000136 electron: Improper handling of values in Webviews
CVE-2018-1000136 electron: Improper handling of values in Webviews
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
References:
https://www.electronjs.org/blog/webview-fix
2018-03-23
Published
Exploited in the wild