Security News > 2021 > October > Squirrel Bug Lets Attackers Execute Code in Games, Cloud Services
An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions and execute arbitrary code within a Squirrel virtual machine, thus giving a malicious actor complete access to the underlying machine.
Given where Squirrel lives - in games and embedded in the internet of things - the bug potentially endangers the millions of monthly gamers who play video games such as Counter-Strike: Global Offensive and Portal 2, as well as cloud services such as the Twilio Electric Imp IoT platform, with its ready-to-use open-source code library.
Squirrel is an open-source, object-oriented programming language used by video games and cloud services for customization and plugin development.
Both of the games mentioned above use the Squirrel Engine game library to enable anyone to create custom game modes and maps.
Tracked as CVE-2021-41556, the Squirrel out-of-bounds read vulnerability can be exploited when a Squirrel Engine is used to execute untrusted code, as it is with Twilio Electric Imp or certain video games.
In that writeup, vulnerability researchers Simon Scannell and Niklas Breitfeld suggested a real-world scenario in which an attacker could embed a malicious Squirrel script into a community map and distribute it via the trusted Steam Workshop: a mod repository for Steam Games that lets creators upload their mods for a massive built-in audience while providing regular players with an easy way to obtain mods.
News URL
https://threatpost.com/squirrel-attackers-execute-code-games-cloud-services/175586/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-28 | CVE-2021-41556 | Out-of-bounds Read vulnerability in multiple products sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. | 10.0 |