Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction, due to use of Electron 13.5.1 which is vulnerable to a use-after-free bug in V8.
The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild.
If you are using Element Desktop < 1.9.7, we recommend upgrading to Element Desktop >= 1.9.9 at your earliest convenience.
Impact
If successfully exploited, the vulnerability allows an attacker to specify a file path of a binary on the victim's computer which then gets executed. Notably, the attacker does not have the ability to specify program arguments.
However, in certain unspecified configurations, the attacker may be able to specify an URI instead of a file path which then gets handled using standard platform mechanisms. These may allow exploiting further vulnerabilities in those mechanisms, potentially leading to arbitrary code execution.
Patches
Fixed in Element Desktop 1.9.7, by upgrading the Electron dependency to 13.5.2. Additional mitigations were done in version 1.9.9 to ensure that any future Electron vulnerabilities will be impossible to exploit in this manner.
Workarounds
N/A
References
N/A
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.
msrkp Analyst
TheGrandPew Analyst
Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction, due to use of Electron 13.5.1 which is vulnerable to a use-after-free bug in V8.
The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild.
If you are using Element Desktop < 1.9.7, we recommend upgrading to Element Desktop >= 1.9.9 at your earliest convenience.
Impact
If successfully exploited, the vulnerability allows an attacker to specify a file path of a binary on the victim's computer which then gets executed. Notably, the attacker does not have the ability to specify program arguments.
However, in certain unspecified configurations, the attacker may be able to specify an URI instead of a file path which then gets handled using standard platform mechanisms. These may allow exploiting further vulnerabilities in those mechanisms, potentially leading to arbitrary code execution.
Patches
Fixed in Element Desktop 1.9.7, by upgrading the Electron dependency to 13.5.2. Additional mitigations were done in version 1.9.9 to ensure that any future Electron vulnerabilities will be impossible to exploit in this manner.
Workarounds
N/A
References
N/A
For more information
If you have any questions or comments about this advisory, email us at security@matrix.org.