CVE-2023-49314

Vulnerability

Asana Desktop version 2.1.0 on macOS ships with Electron Fuses RunAsNode and EnableNodeCliInspectArguments enabled [1]. These fuses allow arbitrary code injection into the Electron process, as demonstrated by the r3ggi/electroniz3r tool [3]. The vulnerability exists because the application did not disable unnecessary Electron features that can be abused for code execution when an attacker already has local access.

Exploitation

An attacker with local access to the macOS system (e.g., physical access or prior remote code execution) can use the electroniz3r utility to inject arbitrary code into the Asana Desktop process [3]. The tool lists installed Electron apps and provides an inject subcommand to execute JavaScript or native code within the app's context. No additional authentication is required beyond the attacker's existing user-level shell access.

Impact

Successful code injection runs within the security context of the Asana Desktop app, inheriting all entitlements granted to it, such as Transparency, Consent, and Control (TCC) permissions (e.g., camera, microphone, files). This allows an attacker to escalate privileges from their current user level to the app's permissions, potentially accessing sensitive data or system resources [3]. According to the Electron team, this is not a remote vulnerability and requires prior local access [2].

Mitigation

To mitigate this vulnerability, application developers should disable the RunAsNode and EnableNodeCliInspectArguments fuses using the @electron/fuses package at build time [4]. Asana Desktop 2.1.0 users should update to a patched version that disables these fuses. As of the publication date, no updated version has been announced; users should restrict local access and monitor for updates.