Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[electron-updater] Update is installed even though signature verification fails #4701

Closed
rajivshah3 opened this issue Feb 25, 2020 · 3 comments
Closed

[electron-updater] Update is installed even though signature verification fails #4701

rajivshah3 opened this issue Feb 25, 2020 · 3 comments
Labels
bug electron-updater

Comments

@rajivshah3
Copy link
Contributor

  • Version:
    electron-builder: 22.3.5
    electron-updater: 4.2.4
  • Target: Windows (NSIS)

dead150 is only a partial fix for the signature verification bypass issue recently disclosed by Doyensec. While it is no longer possible to trigger the parse errors with single or double quotes as of dead150, there are other ways to cause them.

From the report:

we believe that other attack payloads for the same vulnerable code path still [exist] in Electron-Builder.

In my opinion, the root cause of the vulnerability lies in the fact that even though signature verification is failing, the update is still installed:

electron-builder/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts

Lines 37 to 38 in caebf37

logger.warn(`Cannot execute Get-AuthenticodeSignature: ${error}. Ignoring signature validation due to unknown error.`)
resolve(null)

electron-builder/packages/electron-updater/src/NsisUpdater.ts

Line 42 in caebf37

if (signatureVerificationStatus != null) {

So, even though an error is encountered, null is resolved and the update is installed anyway. I opened this issue because I was hoping to start a discussion on the following:

  • Is there a reason why we would want the update to be installed despite the fact that signature verification failed (i.e. is there a valid use case for the current behavior)?
  • We would prefer that any errors in signature verification cause the update process to abort. Would a PR for the ability to opt-in to stricter signature verification (e.g. strictSignatureVerification: true in the electron-builder config) be accepted?
@rajivshah3 rajivshah3 mentioned this issue Mar 15, 2020
Merged
3 tasks
@stale
Copy link

stale bot commented Apr 25, 2020

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the backlog label Apr 25, 2020
@rajivshah3
Copy link
Contributor Author

This is still relevant

@stale stale bot removed the backlog label Apr 25, 2020
@Laruxo Laruxo mentioned this issue Apr 29, 2020
Closed
@hedwigz hedwigz mentioned this issue Jun 15, 2020
Merged
@Mik317 Mik317 mentioned this issue Jun 16, 2020
Merged
@huntr-helper
Copy link

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.

@huntr-helper huntr-helper mentioned this issue Jun 18, 2020
Closed
@Urook Urook mentioned this issue Oct 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug electron-updater
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@develar @rajivshah3 @huntr-helper