-
-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Software contains RCE vulnerability #106
Comments
It looks like this vulnerability is caused by the autoupdate functionality in the bridge. This should be patched out or disabled in the container build process so that the container's integrity is preserved. |
Reported upstream as well: https://github.com/ProtonMail/proton-bridge/issues/494 Given their zeal for co-opting users' machines for their own purposes, I assume this will need to be patched out in the container and won't get fixed upstream. |
I know this is a stale issue, but:
So, just Proton (or a hacker that is extremely deep into Proton's infra, in which case every Proton user is screwed anyways)
Yes, that's called "autoupdate", it's a feature when implemented correctly.
No, it's very relevant. Autoupdate != RCE because RCE means the attacker gets some level of choice in the code that is executed. I wouldn't call this an RCE vulnerability because the attacker would need some level of access to the host machine of the container, or at the very least the container itself (in which case the data is already compromised since it is Proton Bridge caches it IIRC) Outside of the technical arguments, I don't know what you're hoping to accomplish by spreading FUD. Please reconsider who you are actually helping (no one) and what you could do to be truly helpful. This type of pithy, fear-mongering "bug report" is detrimental to the maintainer of this project, Proton, and the privacy community at large. Stop wasting people's time. |
Without permission, this software downloads new code from the server and prepares to execute it. This violates the entire security model of content-addressable docker container executables.
This allows anyone with control of the remote server to specify arbitrary code to execute within the container.
This allows an attacker in control of the update download server to replace the update executable that is downloaded, and steal or exfiltrate keys and mail.
Such nonconsensual automated remote code execution (the fact that it is called "autoupdate" is irrelevant) is inappropriate in software implementing end to end encryption. If the not-end can cause the end to give up its keys or plaintext at any time via a software update, then the end to end encryption is simply farce.
The text was updated successfully, but these errors were encountered: