Full Report
Electron-Builder is marketed as a package and build system for Electron Apps with auto-update support. On MacOS and Windows, there is code signing and verification support built into it. While reviewing the update mechanism of Electron-Builder for a client, they noticed that the validation failed open if the PowerShell command used signature validation failed. If there was a parse error, the command would still succeed silently. By claiming the file name contained a single quote, the parse error would return a valid result. Practically, this also had a command injection, which is less than ideal as well. The command injection issue was eventually resolved, but the fail-open design remained. Since the expansion led to both a parse error and a command injection issue, this was sufficient for both problems. In reality, the fail-open design is still bad, and there are likely other ways to trigger this same issue.
Analysis Summary
# Vulnerability: Signature Validation Bypass and Command Injection in Electron-Updater
## CVE Details
- **CVE ID:** CVE-2020-5243 (Note: While not explicitly in the snippet, this is the ID associated with this disclosure)
- **CVSS Score:** 8.3 (High)
- **CWE:** CWE-88 (Improper Neutralization of Argument Delimiters), CWE-755 (Improper Handling of Exceptional Conditions)
## Affected Systems
- **Products:** electron-builder (specifically the `electron-updater` submodule)
- **Versions:** Versions prior to 22.3.3
- **Configurations:** Windows-based Electron applications utilizing the auto-update feature with code signing enabled.
## Vulnerability Description
The vulnerability stems from a "fail-open" design and improper input sanitization in how `electron-updater` verifies Windows executable signatures.
1. **Unescaped Command Execution:** The module uses `powershell.exe` to run `Get-AuthenticodeSignature` on a temporary update file. The filename (`tempUpdateFile`) is passed unescaped into the command string.
2. **Signature Bypass (Fail-Open):** If the PowerShell command fails or encounters a parse error (e.g., due to a single quote in the filename), the `catch` block logs the error but returns `null`, which the updater interprets as a successful validation, allowing unsigned or maliciously signed binaries to run.
3. **Command Injection:** Because the filename variable is not sanitized, an attacker can use characters like `;` to inject arbitrary PowerShell commands.
## Exploitation
- **Status:** PoC available; independently discovered and publicly disclosed.
- **Complexity:** Low
- **Attack Vector:** Network (An attacker must be able to influence the `latest.yml` file served by the update server).
## Impact
- **Confidentiality:** High (Full system compromise via RCE)
- **Integrity:** High (Ability to replace legitimate application binaries with malicious ones)
- **Availability:** High (Potential for persistent malware or system disruption)
## Remediation
### Patches
- **Electron-Builder v22.3.3** was released to address the command injection portion of the flaw.
- **Note:** Per the discovery team, the fix at the time of publication did not fully mitigate the underlying "fail-open" logic. Users are advised to use the latest available version of `electron-builder`.
### Workarounds
- Implement strict server-side controls to ensure `latest.yml` and update binaries cannot be tampered with.
- Use HTTPS for all update manifest and binary requests to prevent MITM (Man-in-the-Middle) attacks that could deliver a malicious YAML file.
## Detection
- **Indicators of Compromise:** Update filenames containing single quotes (`'`) or command separators (`;`).
- **Detection methods:** Monitor process execution logs for suspicious `powershell.exe` arguments originating from Electron applications, specifically those containing `Get-AuthenticodeSignature` alongside unexpected characters.
## References
- **Vendor Advisory:** hxxps://github[.]com/electron-userland/electron-builder/security/advisories/GHSA-976v-qmqj-w5q6
- **Doyensec Blog:** hxxps://blog[.]doyensec[.]com/2020/02/24/electron-updater-update-signature-bypass[.]html
- **Electron-Builder Repo:** hxxps://github[.]com/electron-userland/electron-builder