关于 “runAsNode” CVE 的声明

今天早些时候，Electron 团队注意到最近有几条针对若干知名 Electron 应用的公共 CVE 被提交。这些 CVE 与 Electron 的两个 保险丝 - runAsNode 和 enableNodeCliInspectArguments - 有关，并错误地声称如果这些组件未被主动禁用，远程攻击者能够通过它们执行任意代码。

🌐 Earlier today, the Electron team was alerted to several public CVEs recently filed against several notable Electron apps. The CVEs are related to two of Electron’s fuses - runAsNode and enableNodeCliInspectArguments - and incorrectly claim that a remote attacker is able to execute arbitrary code via these components if they have not been actively disabled.

我们不认为这些 CVE 是善意提交的。首先，该声明是不正确的——该配置并未启用远程代码执行。其次，尽管这些 CVE 中提到的公司都有漏洞赏金计划，但他们并未收到通知。最后，虽然我们确实认为禁用相关组件可以增强应用安全性，但我们不认为这些 CVE 的严重性等级正确。“严重”是用于最高危险的问题，而这里显然并非如此。

🌐 We do not believe that these CVEs were filed in good faith. First of all, the statement is incorrect - the configuration does not enable remote code execution. Secondly, companies called out in these CVEs have not been notified despite having bug bounty programs. Lastly, while we do believe that disabling the components in question enhances app security, we do not believe that the CVEs have been filed with the correct severity. “Critical” is reserved for issues of the highest danger, which is certainly not the case here.

任何人都可以申请 CVE。虽然这对整个软件行业的健康发展有益，但为了提升单个安全研究员的声誉而“获取 CVE”并没有帮助。

🌐 Anyone is able to request a CVE. While this is good for the overall health of the software industry, “farming CVEs” to bolster the reputation of a single security researcher is not helpful.

也就是说，我们理解，仅仅存在一个具有可怕 critical 严重性等级的 CVE 可能会导致终端用户困惑，因此作为一个项目，我们希望提供指导和帮助来处理这个问题。

🌐 That said, we understand that the mere existence of a CVE with the scary critical severity might lead to end user confusion, so as a project, we’d like to offer guidance and assistance in dealing with the issue.

这会对我有什么影响？

🌐 How might this impact me?

在审查了 CVE 后，Electron 团队认为这些 CVE 并不重要。

🌐 After reviewing the CVEs, the Electron team believes that these CVEs are not critical.

攻击者需要已经能够在机器上执行任意命令，无论是通过物理访问硬件，还是通过实现完全的远程代码执行。这一点需要重复强调：所描述的漏洞_要求攻击者已经能够访问被攻击的系统_。

🌐 An attacker needs to already be able to execute arbitrary commands on the machine, either by having physical access to the hardware or by having achieved full remote code execution. This bears repeating: The vulnerability described requires an attacker to already have access to the attacked system.

例如，Chrome 在其威胁模型中不考虑物理上的本地攻击：

🌐 Chrome, for example, does not consider physically-local attacks in their threat model:

我们认为这些攻击不在 Chrome 的威胁模型范围内，因为对于已经以你的身份登录设备的恶意用户，或能够以操作系统用户账户的权限运行软件的攻击者，Chrome（或任何应用）都无法防御。这样的攻击者可以修改可执行文件和 DLL，改变环境变量如 PATH，修改配置文件，读取你用户账户拥有的任何数据，发送到自己的邮箱，等等。这样的攻击者对你的设备拥有完全控制权，而 Chrome 无论做什么都无法提供有效的防御保证。这个问题并不是 Chrome 特有的——所有应用都必须信任物理本地用户。

CVE 中描述的漏洞允许攻击者将受影响的应用用作拥有继承 TCC 权限的通用 Node.js 进程。例如，如果该应用已被授予访问通讯录的权限，攻击者可以以 Node.js 的方式运行该应用并执行任意代码，这些代码将继承该通讯录访问权限。这通常被称为“借助现有环境进行攻击” (living off the land)。攻击者通常使用 PowerShell、Bash 或类似工具来运行任意代码。

🌐 The exploit described in the CVEs allows an attacker to then use the impacted app as a generic Node.js process with inherited TCC permissions. So if the app, for example, has been granted access to the address book, the attacker can run the app as Node.js and execute arbitrary code which will inherit that address book access. This is commonly known as a “living off the land” attack. Attackers usually use PowerShell, Bash, or similar tools to run arbitrary code.

我会受到影响吗？

🌐 Am I impacted?

默认情况下，Electron 的所有已发布版本都启用了 runAsNode 和 enableNodeCliInspectArguments 功能。如果你没有按照 Electron Fuses 文档 中的说明将它们关闭，你的应用同样有可能被用于“利用现有系统资源进行攻击”。再次强调，攻击者需要 已经 能够在受害者的计算机上执行代码和程序。

🌐 By default, all released versions of Electron have the runAsNode and enableNodeCliInspectArguments features enabled. If you have not turned them off as described in the Electron Fuses documentation, your app is equally vulnerable to being used as a “living off the land” attack. Again, we need to stress that an attacker needs to already be able to execute code and programs on the victim’s machine.

缓解措施

🌐 Mitigation

解决此问题最简单的方法是在你的 Electron 应用中禁用 runAsNode 熔断器。runAsNode 熔断器用于切换是否启用 ELECTRON_RUN_AS_NODE 环境变量。有关如何切换这些熔断器的信息，请参阅 Electron 熔断器文档。

🌐 The easiest way to mitigate this issue is to disable the runAsNode fuse within your Electron app. The runAsNode fuse toggles whether the ELECTRON_RUN_AS_NODE environment variable is respected or not. Please see the Electron Fuses documentation for information on how to toggle theses fuses.

请注意，如果此保险丝被禁用，那么主进程中的 process.fork 将无法按预期工作，因为它依赖于此环境变量来运行。相反，我们建议你使用 实用程序进程，它适用于许多需要独立 Node.js 进程的用例（例如 Sqlite 服务器进程或类似场景）。

🌐 Please note that if this fuse is disabled, then process.fork in the main process will not function as expected as it depends on this environment variable to function. Instead, we recommend that you use Utility Processes, which work for many use cases where you need a standalone Node.js process (like a Sqlite server process or similar scenarios).

你可以在我们的 安全检查清单 中找到我们推荐的 Electron 应用安全最佳实践的更多信息。

🌐 You can find more info about security best practices we recommend for Electron apps in our Security Checklist.