Security News > 2024 > April > Critical Rust flaw enables Windows command injection attacks

Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.

Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.

"The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files on Windows using the Command API," the Rust Security Response working group said.

All Rust versions before 1.77.2 on Windows are affected if a program's code or one of its dependencies invokes and executes batch files with untrusted arguments.

As a result, they had to improve the robustness of the escaping code and modify the Command API. If the Command API cannot safely escape an argument while spawning the process, it returns an InvalidInput error.

"If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw arg method to bypass the standard library's escaping logic," the Rust Security Response WG added.

News URL

https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/