Hiding Vulnerabilities in Source Code

2021-11-01 15:58

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed.

We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic.

One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic.

We've verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages.

This potentially devastating attack is tracked as CVE-2021-42574, while a related attack that uses homoglyphs - visually similar characters - is tracked as CVE-2021-42694.

This work has been under embargo for a 99-day period, giving time for a major coordinated disclosure effort in which many compilers, interpreters, code editors, and repositories have implemented defenses.

News URL

https://www.schneier.com/blog/archives/2021/11/hiding-vulnerabilities-in-source-code.html

#sourcecode #vulnerabilities #CVE-2021-42574 #CVE-2021-42694

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2021-11-01	CVE-2021-42694	Unspecified vulnerability in Unicode An issue was discovered in the character definitions of the Unicode Specification through 14.0. network high complexity unicode	8.3
2021-11-01	CVE-2021-42574	Code Injection vulnerability in multiple products An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. network high complexity unicode fedoraproject starwindsoftware CWE-94	8.3