Remote code execution in Electron Slack

Published: 2018-01-24

Risk	High
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2018-1000006
CWE-ID	CWE-264
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Slack Client/Desktop applications / Messaging software
Vendor	Electron

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Remote code execution

EUVDB-ID: #VU10166

Risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2018-1000006

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unspecified error in Electron apps that use custom protocol handlers. A remote attacker can execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 3.0.3.

Vulnerable software versions

Slack: All versions

CPE2.3

cpe:2.3:a:electron:slack:*:*:*:*:*:*:*:*

External links

https://electronjs.org/blog/protocol-handler-fix

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.