Critical Electron Vulnerabilities

CVE-2024-46992: Electron ASAR Integrity Bypass Vulnerability

Overview

Electron, a popular open-source framework for building cross-platform desktop applications with JavaScript, HTML, and CSS, is vulnerable to an ASAR Integrity bypass in certain versions. This vulnerability affects Electron versions from 30.0.0-alpha.1 up to but not including 30.0.5, and 31.0.0-alpha.1 up to but not including 31.0.0-beta.1.

Vulnerability Details

The vulnerability arises only if the application has the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar security fuses enabled.
It is specific to Windows; macOS applications using these fuses are not affected.
The issue allows an attacker with write access to the filesystem where the app is launched to modify the contents of the ASAR archive (Electron's packaged application format).
This bypasses the integrity check designed to prevent tampering with the app's code or resources.
The attacker can inject malicious code or alter application logic by changing files inside the ASAR archive, potentially leading to unauthorized code execution or privilege escalation.

Impact

Affected applications that enable these fuses on Windows are at high risk (CVSS score 7.8).
Since the attacker must have write access to the filesystem, this is a local or network-based attack vector where the attacker can modify application files.
Applications without these fuses enabled are not impacted.
There are no workarounds; the only solution is to update Electron to patched versions 30.0.5 or 31.0.0-beta.1.

Sample Scenario

Imagine a company distributes a Windows desktop app built with Electron that enables these security fuses for integrity validation. If the app is installed on a shared network drive or a writable folder, an attacker who gains write access to that location could modify the ASAR file to inject malicious JavaScript code. When a user runs the app, the integrity check is bypassed, and the malicious code executes with the app’s privileges, potentially stealing data or installing malware.

Mitigation

Update Electron to version 30.0.5 or later, or 31.0.0-beta.1 or later.
Avoid launching apps from writable filesystems accessible by untrusted users.
Monitor file system permissions to restrict write access.

CVE-2024-46993: Electron Heap Buffer Overflow in NativeImage Functions

Overview

Electron versions prior to 28.3.2, 29.3.3, and 30.0.3 contain a heap buffer overflow vulnerability in the NativeImage API functions nativeImage.createFromPath() and nativeImage.createFromBuffer().

Vulnerability Details

The vulnerability exists in a downstream function called by these NativeImage creation functions.
If an attacker controls the image's height, width, and contents, they can trigger a heap buffer overflow.
This can lead to memory corruption, potentially allowing arbitrary code execution, application crashes, or denial of service.
The vulnerability is identified as CWE-122 (Heap-based Buffer Overflow).

Impact

Applications using these NativeImage functions to load or process images from untrusted sources are at risk.
The vulnerability is rated medium severity with a CVSS score of 4.4.
There are no workarounds; affected applications must upgrade Electron.

Sample Scenario

An Electron app loads user-uploaded images using nativeImage.createFromBuffer(). An attacker crafts a malicious image file with manipulated height, width, and pixel data designed to overflow the heap buffer. When the app processes this image, the buffer overflow occurs, potentially allowing the attacker to execute arbitrary code within the app context or cause it to crash.

Mitigation

Upgrade Electron to version 28.3.2, 29.3.3, or 30.0.3 or later.
Validate and sanitize image inputs before processing.
Limit exposure of image processing APIs to untrusted data.

Summary Table

CVE ID	Vulnerability Type	Affected Versions	Impact	Severity	Fix Version(s)	Workarounds
CVE-2024-46992	ASAR Integrity Bypass	30.0.0-alpha.1 to <30.0.5, 31.0.0-alpha.1 to <31.0.0-beta.1	Allows modification of app code if attacker has write access	High (7.8)	30.0.5, 31.0.0-beta.1	None
CVE-2024-46993	Heap Buffer Overflow	<28.3.2, <29.3.3, <30.0.3	Potential arbitrary code execution via crafted images	Medium (4.4)	28.3.2, 29.3.3, 30.0.3	None

Conclusion

Both vulnerabilities highlight the importance of keeping Electron up to date and carefully managing application configurations and filesystem permissions. The ASAR Integrity bypass (CVE-2024-46992) poses a serious risk for Windows apps that enable specific security fuses and run from writable locations, while the heap buffer overflow (CVE-2024-46993) affects image processing functions and can be exploited by malicious image files.

Developers should immediately update to the patched Electron versions and review their app deployment environments to mitigate these risks.

If you need further technical details or assistance with mitigation strategies, feel free to ask.

Trending

Critical Security Vulnerabilities in Dell ControlVault3 Firmware

The Silent Threat in Systems: Two New Vulnerabilities in Tenable Network Monitor

Server-Side Request Forgery (SSRF) Vulnerability in SmartRobot by INTUMIT

2025 Vulnerabilities in Real Estate Software

Critical CSRF Vulnerability in Siemens SIMATIC S7-1200 PLCs: Exploitation and Defense

Remote Code Execution in EV Charging Stations

Prisma Access Browser Security Update: Take Action to Address Critical Vulnerabilities

Critical Electron Vulnerabilities

Critical Electron Vulnerabilities

CVE-2024-46992: Electron ASAR Integrity Bypass Vulnerability

Overview

Vulnerability Details

Impact

Sample Scenario

Mitigation

CVE-2024-46993: Electron Heap Buffer Overflow in NativeImage Functions

Overview

Vulnerability Details

Impact

Sample Scenario

Mitigation

Summary Table

Conclusion

Post a Comment

İletişim Formu