Oculus Quest SideQuest App Fixed Critical Remote Code Execution Flaw

CVECVE-2024-21625
CVSScvssV3_1: 8.8
SourceCVE-2024-21625

The popular Oculus Quest app SideQuest, which allows users to access additional VR applications, fixed a serious vulnerability in a recent update.

Prior to version 0.10.35, the SideQuest desktop application did not properly sanitize deep links using a custom “sidequest://” protocol. This allowed a malicious actor to potentially execute arbitrary code on a user’s computer remotely with just a single click.

Deep links are a technique used by many applications to open specific pages or trigger actions by clicking a URL. However, in this case the links were not being filtered for dangerous code that could be run without the user’s permission.

An attacker could craft a link to exploit this and take control of the user’s PC if they were connected to their Quest and visited a compromised website or clicked a malicious message while using SideQuest. This put Quest owners at risk of malware infection or sensitive data theft.

Thankfully, the developers were aware of this critical vulnerability and swiftly released an update to version 0.10.35. It now properly parses and sanitizes any deep links using the custom protocol to prevent malicious code from being executed.

If you use the SideQuest app, be sure to update to the latest version immediately for protection. Also, exercise caution when clicking links or downloading files from untrusted sources while your Quest is connected for maximum security. Staying on top of software updates is key to avoiding exploits of this nature.

References