Urgent Update: Critical Rust Vulnerability Affects Windows Command Execution
Charles M. Walls | April 10, 2024 | Views: 174
A serious security vulnerability identified in the Rust standard library poses a significant threat to Windows users by allowing for potential command injection attacks.
This flaw, cataloged under the identifier CVE-2024-24576, has been assigned the highest possible criticality rating with a CVSS score of 10.0. It specifically affects situations in which batch files are executed on Windows platforms using untrusted inputs.
The advisory issued by the Rust Security Response working group on April 9, 2024, explains the issue: "When batch files (.bat and .cmd) are launched on Windows through the Command API, the Rust standard library fails to properly sanitize the arguments, which could let an attacker manipulate these inputs to run unauthorized shell commands."
This security gap affects all versions of Rust prior to 1.77.2. The vulnerability, known as BatBadBut, was discovered and reported by the cybersecurity researcher RyotaK to the CERT Coordination Center (CERT/CC).
RyotaK highlighted that this vulnerability is not unique to Rust but also affects multiple programming languages that use a similar method for invoking the Windows CreateProcess function, where the command arguments are escaped.
He advises developers to be vigilant due to the uneven adoption of security measures across different programming environments. As a precaution, RyotaK recommends relocating batch files to directories not listed in the PATH environment variable. By doing so, batch files can only be executed when their full path is specified, reducing the risk of unintended command execution.
Such proactive security practices are essential in safeguarding systems against potential exploits, especially when a universal solution across programming languages is yet to be implemented.