Electron ASAR Integrity Bypass Vulnerability Allowing Resource Modification

A vulnerability in Electron that allows for an ASAR integrity bypass through resource modification has been identified. This issue affects versions of Electron prior to 35.7.5, as well as 36.0.0-alpha.1 through 36.8.0, 37.0.0-alpha.1 through 37.3.1, and 38.0.0-alpha.1 through 38.0.0-beta.6. The vulnerability only impacts applications with the 'embeddedAsarIntegrityValidation' and 'onlyLoadAppFromAsar' fuses enabled. In such cases, the ASAR integrity check can be bypassed, potentially allowing malicious modifications to be made to the application's resources.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of an application's ASAR resources, bypassing the intended integrity checks. This could be exploited by manipulating the application's resource files, particularly in environments where the attacker has write access to the files from which the application is loaded.

Reproduction

To reproduce this vulnerability, an application must be created using Electron with the 'embeddedAsarIntegrityValidation' and 'onlyLoadAppFromAsar' fuses enabled. Once the application is packaged and the fuses are set, it can be launched from a location where the user has write permissions. The integrity bypass can be achieved by modifying the ASAR file's resources, exploiting the fact that the application will not detect the unauthorized changes due to the disabled integrity validation.

Remediation

Users should update to Electron versions 35.7.5, 36.8.1, 37.3.1, or 38.0.0-beta.6, where this vulnerability has been patched.