Security News > 2024 > April > Critical Rust flaw enables Windows command injection attacks
Threat actors can exploit a security vulnerability in the Rust standard library to target Windows systems in command injection attacks.
Tracked as CVE-2024-24576, this flaw is due to OS command and argument injection weaknesses that can let attackers execute unexpected and potentially malicious commands on the operating system.
"The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files on Windows using the Command API," the Rust Security Response working group said.
All Rust versions before 1.77.2 on Windows are affected if a program's code or one of its dependencies invokes and executes batch files with untrusted arguments.
As a result, they had to improve the robustness of the escaping code and modify the Command API. If the Command API cannot safely escape an argument while spawning the process, it returns an InvalidInput error.
"If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw arg method to bypass the standard library's escaping logic," the Rust Security Response WG added.
News URL
Related news
- Cleo patches critical zero-day exploited in data theft attacks (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)
- Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks (source)
- Windows kernel bug now exploited in attacks to gain SYSTEM privileges (source)
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-04-09 | CVE-2024-24576 | Rust is a programming language. | 0.0 |