Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0.23.0 Critical Security Vulnerability? #1837

Closed
bitnom opened this issue Jul 17, 2020 · 2 comments
Closed

0.23.0 Critical Security Vulnerability? #1837

bitnom opened this issue Jul 17, 2020 · 2 comments
Assignees

Comments

@bitnom
Copy link

bitnom commented Jul 17, 2020

I see in the changelog for v0.23.0 a critical security patch was applied. I went looking through the logs but couldn't spot the commit(s). Can you please describe the security vulnerability for the sake of my sanity?

Thanks

@feross
Copy link
Member

feross commented Jul 17, 2020

@TensorTom The security vulnerability is in Chromium itself. I can't say any more until it's public, unfortunately. I'll keep this issue open so I remember to give an update here once the bug is public.

@feross feross self-assigned this Jul 17, 2020
@feross
Copy link
Member

feross commented Nov 18, 2020

Here's some more info about this bug, now that the fix has been about for a while.

There was a really bad libwebrtc bug (libwebrtc is the library that provides webrtc in chromium). It affected any WebRTC app that establishes data channels with potentially malicious peers.

Here's my attempt at a summary (though see the bug report for full details). Basically, the WebRTC implementation was sending raw pointers to the remote peer (breaking ASLR) and also letting the remote peer set the callback pointer that the local peer would jump to. This could potentially be used to remotely exploit a webrtc peer running the vulnerable code.

The fix is in libwebrtc from June 5 or later (Chromium M84, branch 4147).

We patched this in WebTorrent Desktop v0.23.0 (https://github.com/webtorrent/webtorrent-desktop/releases/tag/v0.23.0) and within 2 weeks we had over 64% of users running v0.23.0 or later (thanks to our auto-updater). As of today, less than 5% of WebTorrent Desktop users are running a vulnerable version.

More details about the underlying libwebrtc bug here:

https://bugs.chromium.org/p/project-zero/issues/detail?id=2034
https://bugs.chromium.org/p/chromium/issues/detail?id=1076703
sctplab/usrsctp#376

I will close this issue now.

@feross feross closed this as completed Nov 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants