- #WHEN UPDATING MXQ TV BOX FIRMWARE IT SAYS THAT THE SIGNATURE VERIFICATION FAILED UPDATE#
- #WHEN UPDATING MXQ TV BOX FIRMWARE IT SAYS THAT THE SIGNATURE VERIFICATION FAILED PATCH#
- #WHEN UPDATING MXQ TV BOX FIRMWARE IT SAYS THAT THE SIGNATURE VERIFICATION FAILED FULL#
#WHEN UPDATING MXQ TV BOX FIRMWARE IT SAYS THAT THE SIGNATURE VERIFICATION FAILED PATCH#
While the patch is mitigating the potential command injection risk, the fail-open condition is still in place and we believe that other attack vectors exist. On February 24th, 2020, we’ve been informed by the package’s mantainer that the issue was resolved in release v22.3.5. On February 15th, 2020, we’ve been made aware that the vulnerability discussed in this blog post was discussed on Twitter. Cozy Drive - Still vulnerable in v3.19.0.IOTA Trinity Wallet - Auto-updates feature has been disabled for Windows ( #2566, #2588).Wordpress for Desktop - Still vulnerable in v4.7.0.
#WHEN UPDATING MXQ TV BOX FIRMWARE IT SAYS THAT THE SIGNATURE VERIFICATION FAILED UPDATE#
After multiple solicitations, on January 7th, 2020 Doyensec received a reply acknowledging the bug but downplaying the risk.Īt the same time ( November 12th, 2019), we identified and reported this issue to a number of affected popular applications using the vulnerable electron-builder update mechanism on Windows, including:
#WHEN UPDATING MXQ TV BOX FIRMWARE IT SAYS THAT THE SIGNATURE VERIFICATION FAILED FULL#
Disclosure Timelinesĭoyensec contacted the main project maintainer on November 12th, 2019 providing a full description of the vulnerability together with a Proof-of-Concept. This could be achieved in several scenarios, such as a service compromise of the update server, or an advanced MITM attack leveraging the lack of certificate validation/pinning against the update server. Which translates to the following PowerShell command:Īn attacker could leverage this fail open design to force a malicious update on Windows clients, effectively gaining code execution and persistence capabilities.
Ignoring signature validation due to unknown error. To retrieve the update binary’s publisher, the module executes the following code leveraging the native Get-AuthenticodeSignature cmdlet from :ĮxecFile ( "powershell.exe", [ "-NoProfile", "-NonInteractive", "-InputFormat", "None", "-Command", `Get-AuthenticodeSignature '$. During a software update, the application will request a file named latest.yml from the update server, which contains the definition of the new release - including the binary filename and hashes.
The signature verification check performed by electron-builder is simply based on a string comparison between the installed binary’s publisherName and the certificate’s Common Name attribute of the update binary. In particular, we identified a vulnerability that can be leveraged to bypass the signature verification check hence leading to remote command execution. A Fail Open DesignĪs part of a security engagement for one of our customers, we have reviewed the update mechanism performed by Electron Builder, and discovered an overall lack of secure coding practices. In particular, it features a dual code-signing method for Windows (supporting SHA1 & SHA256 hashing algorithms). The auto-update feature is provided by its electron-updater submodule, internally using Squirrel.Mac for macOS, NSIS for Windows and AppImage for Linux. This software is commonly used to build platform-specific packages for ElectronJs-based applications and it is frequently employed for software updates as well.