usd-2023-0027 | Outdated Electron used by FileCloud Drive

Advisory ID: usd-2023-0027
Product: FileCloud Drive
Affected Version: Unknown
Vulnerability Type: CWE 1395 - Dependency on Vulnerable Third-Party Component
Security Risk: CRITICAL (see CVE-2022-29247)
Vendor URL: https://www.filecloud.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Unknown
CVE number: Not eligible

Affected Component

Dependency of FileCloud Drive

Description

Outdated dependencies may introduce security vulnerabilities in software and should be checked regularly for new releases.
FileCloud Drive uses an outdated version of electron for which known vulnerabilities exist.
Also, the used release was release over a year ago which may indicate that a process for checking for new version of used dependencies does not exist.

Proof of Concept

1) Download FileCloud Drive for Windows: https://www.filecloud.com/additional-downloads/
2) Install it
3) Go to the following path:
Local Disk (C:) > Users > pentester > AppData > Roaming > FileCloud Drive > data

4) Open "fcedc.log":

5) At the top of the file the version number of electron is documented: 13.6.9
The current version of electron is: v25.3.1
See: https://releases.electronjs.org/releases/stable

Fix

Update Electron to the current version

References

Timeline

  • 2023-07-14: Vulnerability identified by Merten Nagel
  • 2023-07-27 until 2023-08-07: Sent initial contact requests via support@filecloud.com and submitted vulnerability details via soc@filecloud.com
  • 2023-09-07 until 2023-10-22: Sent numerous update requests to support@filecloud.com and soc@filecloud.com, all left unanswered
  • 2023-11-22: Sent another update request and final deadline to the above email adresses.
  • 2024-02-01: This advisory is published.

Credits

This security vulnerability was identified by Merten Nagel of usd AG.