关于 "runAsNode" CVE 的声明

今天早些时候，Electron 团队收到了最近针对几款知名 Electron 应用提交的几个公开 CVE 漏洞的通知。这些 CVE 与 Electron 的两个 fuses 相关。 - runAsNode 和 enableNodeCliInspectArguments - 并且错误地声称，如果这些组件未被主动禁用，远程攻击者就能够通过它们执行任意代码。

¥Earlier today, the Electron team was alerted to several public CVEs recently filed against several notable Electron apps. The CVEs are related to two of Electron’s fuses - runAsNode and enableNodeCliInspectArguments - and incorrectly claim that a remote attacker is able to execute arbitrary code via these components if they have not been actively disabled.

我们认为这些 CVE 并非出于善意提交。首先，这个说法是错误的。 - 该配置不启用远程代码执行。其次，尽管这些 CVE 中被点名的公司有漏洞赏金计划，但尚未收到通知。最后，虽然我们确实认为禁用相关组件可以增强应用的安全性，但我们认为提交的 CVE 的严重程度并不正确。“严重”级别仅用于危险性最高的问题，而本例中并非如此。

¥We do not believe that these CVEs were filed in good faith. First of all, the statement is incorrect - the configuration does not enable remote code execution. Secondly, companies called out in these CVEs have not been notified despite having bug bounty programs. Lastly, while we do believe that disabling the components in question enhances app security, we do not believe that the CVEs have been filed with the correct severity. “Critical” is reserved for issues of the highest danger, which is certainly not the case here.

任何人都可以申请 CVE。虽然这对软件行业的整体健康发展有利，但“挖空 CVE”来提升单个安全研究人员的声誉却毫无意义。

¥Anyone is able to request a CVE. While this is good for the overall health of the software industry, “farming CVEs” to bolster the reputation of a single security researcher is not helpful.

话虽如此，我们理解，仅仅存在一个严重程度高达 critical 的 CVE 就可能导致终端用户感到困惑，因此，作为一个项目，我们希望提供指导和帮助来解决这个问题。

¥That said, we understand that the mere existence of a CVE with the scary critical severity might lead to end user confusion, so as a project, we’d like to offer guidance and assistance in dealing with the issue.

这会对我有什么影响？

¥How might this impact me?

在审查了 CVE 后，Electron 团队认为这些 CVE 并不重要。

¥After reviewing the CVEs, the Electron team believes that these CVEs are not critical.

攻击者需要已经能够在计算机上执行任意命令，方法是通过物理访问硬件或实现完全远程代码执行。值得重复：所描述的漏洞需要攻击者已经拥有受攻击系统的访问权限。

¥An attacker needs to already be able to execute arbitrary commands on the machine, either by having physical access to the hardware or by having achieved full remote code execution. This bears repeating: The vulnerability described requires an attacker to already have access to the attacked system.

例如，Chrome 威胁模型中未考虑物理本地攻击：

¥Chrome, for example, does not consider physically-local attacks in their threat model:

我们认为这些攻击超出了 Chrome 的威胁模型，因为 Chrome（或任何应用）无法防御以你的身份登录你的设备或能够使用你的操作系统用户账户权限运行软件的恶意用户。此类攻击者可以修改可执行文件和 DLL、更改环境变量（例如 PATH）、更改配置文件、读取你用户账户拥有的任何数据、通过电子邮件将其发送给自己等等。此类攻击者可以完全控制你的设备，Chrome 无法采取任何措施来提供有效的防御保障。这个问题并非 Chrome 独有 - 所有应用都必须信任物理本地用户。

¥We consider these attacks outside Chrome's threat model, because there is no way for Chrome (or any application) to defend against a malicious user who has managed to log into your device as you, or who can run software with the privileges of your operating system user account. Such an attacker can modify executables and DLLs, change environment variables like PATH, change configuration files, read any data your user account owns, email it to themselves, and so on. Such an attacker has total control over your device, and nothing Chrome can do would provide a serious guarantee of defense. This problem is not special to Chrome ­— all applications must trust the physically-local user.

CVE 中描述的漏洞允许攻击者将受影响的应用用作具有继承的 TCC 权限的通用 Node.js 进程。例如，如果应用被授予了地址簿的访问权限，攻击者就可以以 Node.js 的形式运行该应用，并执行继承该地址簿访问权限的任意代码。这通常被称为“自给自足”攻击。攻击者通常使用 PowerShell、Bash 或类似工具来运行任意代码。

¥The exploit described in the CVEs allows an attacker to then use the impacted app as a generic Node.js process with inherited TCC permissions. So if the app, for example, has been granted access to the address book, the attacker can run the app as Node.js and execute arbitrary code which will inherit that address book access. This is commonly known as a “living off the land” attack. Attackers usually use PowerShell, Bash, or similar tools to run arbitrary code.

我会受到影响吗？

¥Am I impacted?

默认情况下，所有发布的 Electron 版本都启用了 runAsNode 和 enableNodeCliInspectArguments 功能。如果你没有按照 Electron Fuses 文档 中的说明关闭它们，你的应用同样容易受到“离地攻击”的攻击。再次强调，攻击者必须具备在受害者机器上执行代码和程序的能力。

¥By default, all released versions of Electron have the runAsNode and enableNodeCliInspectArguments features enabled. If you have not turned them off as described in the Electron Fuses documentation, your app is equally vulnerable to being used as a “living off the land” attack. Again, we need to stress that an attacker needs to already be able to execute code and programs on the victim’s machine.

缓解措施

¥Mitigation

缓解此问题最简单的方法是在 Electron 应用中禁用 runAsNode 保险丝。runAsNode 保险丝用于切换是否遵循 ELECTRON_RUN_AS_NODE 环境变量。请参阅 Electron Fuses 文档 了解如何切换这些保险丝。

¥The easiest way to mitigate this issue is to disable the runAsNode fuse within your Electron app. The runAsNode fuse toggles whether the ELECTRON_RUN_AS_NODE environment variable is respected or not. Please see the Electron Fuses documentation for information on how to toggle theses fuses.

请注意，如果禁用此保险丝，则主进程中的 process.fork 将无法按预期运行，因为它依赖于此环境变量才能运行。相反，我们建议你使用 实用程序进程，它适用于需要独立 Node.js 进程（如 Sqlite 服务器进程或类似场景）的许多用例。

¥Please note that if this fuse is disabled, then process.fork in the main process will not function as expected as it depends on this environment variable to function. Instead, we recommend that you use Utility Processes, which work for many use cases where you need a standalone Node.js process (like a Sqlite server process or similar scenarios).

你可以在我们的 安全检查表。

¥You can find more info about security best practices we recommend for Electron apps in our Security Checklist.