10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
9.3%
A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks.
The vulnerability, tracked as CVE-2024-24576, has a CVSS score of 10.0, indicating maximum severity. That said, it only impacts scenarios where batch files are invoked on Windows with untrusted arguments.
“The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API,” the Rust Security Response working group said in an advisory released on April 9, 2024.
“An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping.”
The flaw impacts all versions of Rust before 1.77.2. Security researcher RyotaK has been credited with discovering and reporting the bug to the CERT Coordination Center (CERT/CC).
RyotaK said the vulnerability – codenamed BatBadBut – impacts several programming languages and that it arises when the “programming language wraps the CreateProcess function [in Windows] and adds the escaping mechanism for the command arguments.”
The vulnerability, per CERT/CC, is the result of programming languages lacking adequate validation mechanisms when invoking commands within a Microsoft Windows environment, thereby permitting attackers to execute arbitrary code that’s disguised as arguments to the command.
“The complete impact of this vulnerability depends on the implementation that uses a vulnerable programming language or such a vulnerable module,” it added.
But in light of the fact that not every programming language has addressed the problem, developers are being recommended to exercise caution when executing commands on Windows.
“To prevent the unexpected execution of batch files, you should consider moving the batch files to a directory that is not included in the PATH environment variable,” RyotaK said in a word of advice to users.
“In this case, the batch files won’t be executed unless the full path is specified, so the unexpected execution of batch files can be prevented.”
Patches have also been released by maintainers of Haskell, Node.js, PHP, and yt-dlp to address the command injection bug -
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
9.3%