CVE-2024-39698
Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. This attack assumes a compromised update manifest (server compromise, Man-in-the-Middle attack if fetched over HTTP, Cross-Site Scripting to point the application to a malicious updater server, etc.). The patch is available starting from 6.3.0-alpha.6.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-06-27 CVE Reserved
- 2024-07-09 CVE Published
- 2024-07-13 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-154: Improper Neutralization of Variable Name Delimiters
CAPEC
References (4)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Electron-userland Search vendor "Electron-userland" | Electron-builder Search vendor "Electron-userland" for product "Electron-builder" | < 6.3.0 Search vendor "Electron-userland" for product "Electron-builder" and version " < 6.3.0" | en |
Affected
| ||||||