Signal Desktop Application Exists Code Injection Vulnerability

In a week or less after a code injection vulnerability (CVE-2018-10994) from the Signal desktop application was disclosed, security researchers discovered another serious code injection vulnerability (CVE-2018-11101). Similar to previous vulnerabilities, the new vulnerability allows a remote attacker to inject malicious code by sending a message to the recipient’s Signal desktop application without any user interaction, thereby stealing the user’s Signal chat log in clear text.

The only difference between the two vulnerabilities is that the former one resides in a function that handles shared links in a chat, and the new vulnerability exists in a different function that handles referencing message validation, that is, the previous message in the reference reply. In other words, to exploit the bugs in the new patch on the vulnerable version of the Signal desktop application, an attacker would need to send the malicious HTML/JavaScript code as a message to the victim, and then use any random text to reference or reply to the same message. If the victim receives a reference message containing a malicious payload in his vulnerable Signal desktop application, it will automatically execute the payload without any user interaction.

In addition to the theft of chat logs, the researchers stated in their blog that the attacker could even use the HTML iFrame to include files from remote SMB shares that could be misused to steal Windows passwords.

Currently, developers have released the Signal desktop version 1.11.0 for Windows, MacOS, and Linux users. It is recommended that users who may be affected by the vulnerability update as soon as possible.

Source: Thehackernews