The IT security researchers at Positive Security Fabian Bräunlein and Lukas Euler have identified multiple one-click vulnerabilities across various popular software applications that can let an attacker execute arbitrary code on targeted devices.
The researchers noted in their research that desktop apps, particularly those that pass user-supplied URLs to be opened by the OS, are found to be vulnerable to code execution with user interaction.
Code execution is achieved either when the URL redirects to a malicious executable, such as .desktop, .exe, or .jar that is “hosted on an internet-accessible file share (NFS, WebDAV, SMB, …)” and is opened or another vulnerability in the opened app’s URL handler is exploited, explained researchers.
Which Applications are Vulnerable?
The vulnerabilities affect many popular apps, including VLC, Telegram, LibreOffice, Nextcloud, Bitcoin/Dogecoin Wallets, OpenOffice, Mumble, and Wireshark. The vulnerability stems from an insufficient validation of URL input.
Therefore, what happens is that when the app is opened via the OS, it automatically executed a malicious file. According to researchers, many applications failed to validate the URLs. This is why they allow an attacker to launch a specially designed link that points to a piece of attack code and results in remote code execution.
Patched Released for the Affected Apps
Abiding by the responsible disclosure rules, most of the affected applications have been patched to resolve the issue. These include:
1 – Nextcloud – version 3.1.3 of Desktop Client fixed on February 24 (CVE-2021-22879)
2- Telegram – a server-side change was fixed by February 10
3- VLC Player – version 3.0.13 patch to be released next week
4- OpenOffice – issue fixed in 4.1.10 release (CCVE-2021-30245)
5- LibreOffice – Windows version is patched but Xubuntu is still vulnerable (CVE-2021-25631)
6 – Mumble – version 1.3.4 is patched and released on February 10 (CVE-2021-27229)
7- Dogecoin – issue resolved in version 1.14.3 released on February 28
8- Bitcoin ABC – issues fixed in version 0.22.15 and released on March 9
9- Bitcoin Cash – version 23.0.0 is patched and will be released soon
10- Wireshark – version 3.4.4 was patched and released on March 10 (CVE-2021-22191)
11 – WinSCP – issued resolved in version 5.17.10 and released on January 26 (CVE-2021-3331)
Proof of Concept and technical details
The researchers have published a detailed blog post along with technical details and videos that demonstrate how these vulnerabilities impact the aforementioned software apps.