CVE-2018-11101

Name of the Vulnerable Software and Affected Versions Open Whisper Signal (aka Signal-Desktop) versions through 1.10.1

Description The issue allows for cross-site scripting (XSS) via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply. An attacker can send HTML code directly as a message and then reply to that message to trigger this issue. The software fails to sanitize specific HTML elements that can be used to inject HTML code into remote chat windows when replying to an HTML message. Specifically, the IMG and IFRAME elements can be used to include remote or local resources. For example, the use of an IFRAME element enables full code execution, allowing an attacker to download/upload files, information, etc. The SCRIPT element was also found to be injectable. On the Windows operating system, the Content Security Policy (CSP) fails to prevent remote inclusion of resources via the SMB protocol. This can be achieved by referencing a script on an SMB share within an IFRAME element, such as "src=DESKTOP-XXXXXTemptest.html", and then replying to it, resulting in automatic execution of the included JavaScript code without any user interaction.

Recommendations For Open Whisper Signal (aka Signal-Desktop) versions through 1.10.1, update to a version later than 1.10.1 to resolve the issue. As a temporary workaround, consider disabling the use of IFRAME, IMG, and SCRIPT elements in messages until a patch is available. Restrict access to SMB shares to minimize the risk of exploitation via the SMB protocol. Avoid using the src attribute in IFRAME elements to reference remote resources until the issue is resolved.