A critical vulnerability has been identified in the programming language Rust, potentially allowing attackers to execute malicious commands on Windows machines. The Rust team quickly released version 1.77.2 to address the vulnerability, although it affects more languages than just Rust.
The vulnerability has been labelled CVE-2024-24576 and received a perfect severity score of 10. Pietro Albini from the Rust Security Response Working Group explained that the vulnerability lies in the Rust standard library’s improper handling of arguments when running batch files on Windows using the Command API. The Register writes that this flaw allows attackers to execute arbitrary shell commands by bypassing the escaping mechanism.
New version 1.77.2 quickly released
The complexity of Windows’ CMD.exe program, which has distinct parsing rules, exacerbates the issue. Albini highlighted the differences in argument-splitting logic between Windows’ Command Prompt and other platforms, necessitating a more intricate solution. The Rust team published a blog written by Albini detailing the vulnerability.
Rust promptly released version 1.77.2 to address the vulnerability, emphasizing the importance of updating as earlier versions remain susceptible. A Rust contributor, Chris Denton, developed the fix, improving the escaping code and ensuring that the Command API properly handles invalid inputs. However, due to the intricacies of Command Prompt, a comprehensive solution for all cases proves elusive.
Vulnerability extends beyond Rust
Dubbed “BatBadBut” by researcher RyotaK, referencing batch files and their severity, the vulnerability extends beyond Rust to affect other technologies such as Erlang, Go, Python, and Ruby. Node.js and PHP are developing patches, while Rust and Haskell have already implemented fixes. However, Java remains impacted, with no immediate plans for mitigation.
RyotaK cautioned against solely relying on the CVSS rating to assess the severity, as its impact varies depending on individual applications. Programmers should update their Rust installations promptly and remain vigilant against potential security threats.
Also read: Google: new code increasingly written in ‘memory safe’ languages like Rust