CVE-2023-46115 in Tauriinfo

Summary

by MITRE • 10/25/2023

Tauri is a framework for building binaries for all major desktop platforms. This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the `Vite guide` to showcase how to use Tauri together with Vite. Copying the following snippet `envPrefix: ['VITE_', 'TAURI_'],` from this guide into the `vite.config.ts` of a Tauri project leads to bundling the `TAURI_PRIVATE_KEY` and `TAURI_KEY_PASSWORD` into the Vite frontend code and therefore leaking this value to the released Tauri application. Using the `envPrefix: ['VITE_'],` or any other framework than Vite means you are not impacted by this advisory. Users are advised to rotate their updater private key if they are affected by this (requires Tauri CLI >=1.5.5). After updating the envPrefix configuration, generate a new private key with `tauri signer generate`, saving the new private key and updating the updater's `pubkey` value on `tauri.conf.json` with the new public key. To update your existing application, the next application build must be signed with the older private key in order to be accepted by the existing application.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 11/11/2023

CVE-2023-46115 represents a critical configuration vulnerability affecting Tauri applications that utilize the Vite frontend framework. This vulnerability stems from an insecure example configuration provided in Tauri's official documentation, specifically within the Vite guide that demonstrates integration between Tauri and Vite. The flaw occurs when developers copy the recommended configuration snippet `envPrefix: ['VITE_', 'TAURI_'],` into their vite.config.ts file without fully understanding the security implications. This particular configuration setting inadvertently exposes sensitive environment variables containing private keys and updater passwords to the bundled frontend application code, creating a significant security risk for applications that rely on Tauri's updater functionality. The vulnerability is classified under CWE-200 (Information Exposure) and aligns with ATT&CK technique T1552.001 (Credentials In Files) as it involves the improper exposure of sensitive credentials through configuration files.

The technical implementation of this vulnerability relies on how Vite processes environment variables during the build process. When the environment prefix includes both 'VITE_' and 'TAURI_', Vite's build system indiscriminately includes any environment variables matching these prefixes in the final application bundle. This behavior becomes particularly dangerous when developers use environment variables such as TAURI_PRIVATE_KEY and TAURI_KEY_PASSWORD to store sensitive cryptographic information required for application signing and updating. The resulting application binary contains these credentials in plaintext, making them accessible to anyone who can analyze the application's frontend code. This misconfiguration effectively transforms the secure private key storage mechanism into an exposed credential repository, as the build process does not distinguish between frontend-safe and sensitive backend credentials.

The operational impact of this vulnerability extends beyond simple credential exposure, as it compromises the entire application update mechanism and potentially the application's integrity. When attackers gain access to the private key through this exposure, they can forge application updates, potentially distributing malicious code that appears legitimate to end users. This undermines the trust model that Tauri's updater system is designed to maintain and can lead to supply chain attacks against users of affected applications. Additionally, the vulnerability affects applications that implement Tauri's automatic update features, where the exposed credentials could enable attackers to sign malicious updates that would be accepted by the application's verification system. The exposure of the key password specifically impacts the ability to properly secure the signing process and maintain cryptographic integrity.

Organizations and developers affected by this vulnerability must implement immediate remediation measures to protect their applications and users. The primary mitigation strategy involves modifying the environment prefix configuration to exclude 'TAURI_' from the list, effectively changing the configuration to `envPrefix: ['VITE_'],` or using a more restrictive prefix that does not include sensitive credential names. This change prevents the build process from including sensitive environment variables in the frontend bundle while maintaining the functionality of other environment variables. The recommended approach also includes rotating the affected private keys through the Tauri CLI using `tauri signer generate` to create new cryptographic material. Applications must then update their tauri.conf.json configuration to reference the new public key and ensure that the next application build is signed with the older private key to maintain compatibility with existing installations. This process requires careful coordination to avoid breaking existing update mechanisms and should be implemented with Tauri CLI version 1.5.5 or higher to ensure proper support for the updated signing procedures. The vulnerability demonstrates the critical importance of secure configuration management and the potential risks associated with documentation examples that may inadvertently introduce security flaws into production applications.

Responsible

GitHub, Inc.

Reservation

10/16/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00192

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!