Rule Category

BROWSER-OTHER -- Snort has detected suspicious traffic known to exploit vulnerabilities present in an Internet browser other than Firefox, Internet Explorer, or Chrome, or which is present in multiple browsers. This rule should be enabled for systems that use any mainstream browser, to offer complete coverage. (ie, If a vulnerability affects both Chrome and Firefox, but is covered by a rule under the Chrome category, Firefox users might have Chrome coverage turned off and miss the vulnerability.)

Alert Message

BROWSER-OTHER Electron nodeIntegration bypass exploit attempt

Rule Explanation

This event is generated when an attempt to exploit CVE-2018-1000136, an Electron nodeIntegration bypass, over SMTP is detected. Impact: An attacker who successfully exploits CVE-2018-1000136 could achieve arbitrary code execution in the context of the current user where the Electron-based application is being run. Details: CVE-2018-1000136 manifests in how Electron improperly enforces application settings. If the Electron application is executing JavaScript from a remote host, an attacker could exploit this vulnerability to also execute arbitrary code on the local host running the Electron application. Ease of Attack: A proof-of-concept exploit for this vulnerability has been published.

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2018-1000136
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Details
Severity Base Score
Impact Score Exploit Score
Confidentiality Impact Integrity Impact
Availability Impact Access Vector
Authentication Ease of Access