CVE-2024-35222 - Tauri Remote Origin iFrames Vulnerability Allows Attackers to Access IPC Endpoints and Execute Potentially Unwanted Commands

Tauri is a popular, lightweight framework used for building desktop applications for various platforms, such as Windows, macOS, and Linux. Recently, a vulnerability was discovered affecting certain versions of the Tauri framework, which allows remote origin iFrames in Tauri applications to access Inter-process Communication (IPC) endpoints without being explicitly allowed. This flaw could potentially permit an attacker to perform unwanted actions, such as deleting projects or transferring credits, by controlling the content of an iFrame running inside a Tauri-enabled app. This vulnerability, assigned CVE-2024-35222, has been addressed in Tauri versions 1.6.7 and 2..-beta.19.

Exploit Details

The root cause of the CVE-2024-35222 vulnerability lies in the improper restriction of the iFrame communication between the remote content and the IPC endpoints of the Tauri application. Due to this issue, an attacker, who can control the content of an iFrame running inside a Tauri app, can exploit the unrestricted access to the Tauri IPC endpoints. As a result, the attacker could invoke valid commands with potentially harmful consequences.

The affected versions include Tauri v1 applications that lack dangerousRemoteDomainIpcAccess settings and Tauri v2 applications without the proper capabilities.

Code Snippet Demonstrating the Vulnerability (JavaScript)

// Malicious script running on attacker's web server
const { ipcRenderer } = require('electron');

ipcRenderer.on('tauri', {
  event: 'valid-command',
  payload: {
    cmd: 'delete-project',
    args: {
      projectId: 1234
    }
  }
});

If the attacker can inject this malicious JavaScript code into an iFrame within a Tauri app, it could potentially lead to the deletion of a project.

Mitigation

To resolve this vulnerability, it is recommended to update your Tauri applications to version 1.6.7, v2..-beta.19 or later. The patch applied correctly enforces the access control in both Tauri v1 and v2, by explicitly requiring dangerousRemoteDomainIpcAccess in v1 or capabilities in v2 to be set before a remote origin iFrame can access the IPC endpoints.

For more information on this vulnerability, mitigation, and details on updating affected versions, refer to the Tauri Security Advisory:
- Tauri Security Advisory - CVE-2024-35222

Conclusion

It is crucial to keep your software up-to-date and be aware of possible vulnerabilities, such as the one illustrated in this post. By applying the appropriate patches and updating your Tauri applications, you can mitigate the risk associated with CVE-2024-35222 and ensure the security of your developed software.

Timeline

Published on: 05/23/2024 14:15:09 UTC
Last modified on: 06/04/2024 17:34:02 UTC